All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio i
Mike Meyers’
™
CompTIA Security+
Certification Guide
00-FM.indd 1
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio ii
ABOUT THE AUTHORS
Mike Meyers, CompTIA A+, CompTIA Network+, CompTIA Security+, is the industry’s leading authority on CompTIA certifications and the best-selling author of ten
editions of CompTIA A+ Certification All-in-One Exam Guide (McGraw Hill). He is
the president and founder of Total Seminars, LLC, a major provider of PC and network
repair seminars for thousands of organizations throughout the world, and a member
of CompTIA.
Scott Jernigan, CompTIA ITF+, CompTIA A+, CompTIA Network+, CompTIA
Security+, MCP, is the author or co-author (with Mike Meyers) of over two dozen IT
certification books, including CompTIA IT Fundamentals (ITF+) Certification All-inOne Exam Guide (McGraw Hill). He has taught seminars on building, fixing, and securing computers and networks all over the United States, including stints at the FBI
Academy in Quantico, Virginia, and the UN Headquarters in New York City, New York.
About the Technical Editor
Matt Walker is currently a member of the Cyber Security Infrastructure team at Kennedy
Space Center with DB Consulting. An IT security and education professional for more
than 20 years, he has served in multiple positions ranging from director of the Network
Training Center and a curriculum lead/senior instructor for Cisco Networking Academy
on Ramstein AB, Germany, to instructor supervisor and senior instructor at Dynetics,
Inc., in Huntsville, Alabama, providing onsite certification-awarding classes for (ISC)2,
Cisco, and CompTIA. Matt has written and contributed to numerous technical training
books for NASA, Air Education and Training Command, and the US Air Force, as
well as commercially (CEH Certified Ethical Hacker All-in-One Exam Guide, now in its
fourth edition), and continues to train and write certification and college-level IT and
IA security courses.
00-FM.indd 2
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio iii
Mike Meyers’
™
CompTIA Security+
Certification Guide
Third Edition
(Exam SY0-601)
Mike Meyers
Scott Jernigan
New York Chicago San Francisco
Athens London Madrid Mexico City
Milan New Delhi Singapore Sydney Toronto
McGraw Hill is an independent entity from CompTIA® and is not affiliated with CompTIA in any manner. This publication
and accompanying media may be used in assisting students to prepare for the CompTIA Security+ exam. Neither CompTIA
nor McGraw Hill warrants that use of this publication and accompanying media will ensure passing any exam. CompTIA
and CompTIA Security+ are trademarks or registered trademarks of CompTIA in the United States and/or other countries.
All other trademarks are trademarks of their respective owners. The CompTIA Marks are the proprietary trademarks and/or
service marks of CompTIA and its affiliates used under license from CompTIA.
00-FM.indd 3
20/03/21 7:04 PM
Copyright © 2021 by McGraw Hill. All rights reserved. Except as permitted under the United States Copyright Act of 1976, no
part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and
executed in a computer system, but they may not be reproduced for publication.
ISBN: 978-1-26-047370-4
MHID:
1-26-047370-8
The material in this eBook also appears in the print version of this title: ISBN: 978-1-26-047369-8,
MHID: 1-26-047369-4.
eBook conversion by codeMantra
Version 1.0
All trademarks are trademarks of their respective owners. Rather than put a trademark symbol after every occurrence of a trademarked name, we use names in an editorial fashion only, and to the benefit of the trademark owner, with no intention of infringement of the trademark. Where such designations appear in this book, they have been printed with initial caps.
McGraw-Hill Education eBooks are available at special quantity discounts to use as premiums and sales promotions or for use in
corporate training programs. To contact a representative, please visit the Contact Us page at www.mhprofessional.com.
Information has been obtained by McGraw Hill from sources believed to be reliable. However, because of the possibility of
human or mechanical error by our sources, McGraw Hill, or others, McGraw Hill does not guarantee the accuracy, adequacy, or
completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such
information.
TERMS OF USE
This is a copyrighted work and McGraw-Hill Education and its licensors reserve all rights in and to the work. Use of this work
is subject to these terms. Except as permitted under the Copyright Act of 1976 and the right to store and retrieve one copy of the
work, you may not decompile, disassemble, reverse engineer, reproduce, modify, create derivative works based upon, transmit,
distribute, disseminate, sell, publish or sublicense the work or any part of it without McGraw-Hill Education’s prior consent. You
may use the work for your own noncommercial and personal use; any other use of the work is strictly prohibited. Your right to
use the work may be terminated if you fail to comply with these terms.
THE WORK IS PROVIDED “AS IS.” McGRAW-HILL EDUCATION AND ITS LICENSORS MAKE NO GUARANTEES
OR WARRANTIES AS TO THE ACCURACY, ADEQUACY OR COMPLETENESS OF OR RESULTS TO BE OBTAINED
FROM USING THE WORK, INCLUDING ANY INFORMATION THAT CAN BE ACCESSED THROUGH THE WORK
VIA HYPERLINK OR OTHERWISE, AND EXPRESSLY DISCLAIM ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. McGraw-Hill Education and its licensors do not warrant or guarantee that the functions contained in the work
will meet your requirements or that its operation will be uninterrupted or error free. Neither McGraw-Hill Education nor its
licensors shall be liable to you or anyone else for any inaccuracy, error or omission, regardless of cause, in the work or for any
damages resulting therefrom. McGraw-Hill Education has no responsibility for the content of any information accessed through
the work. Under no circumstances shall McGraw-Hill Education and/or its licensors be liable for any indirect, incidental, special,
punitive, consequential or similar damages that result from the use of or inability to use the work, even if any of them has been
advised of the possibility of such damages. This limitation of liability shall apply to any claim or cause whatsoever whether such
claim or cause arises in contract, tort or otherwise.
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio v
For the great friends from around the world who shared
this crazy lockdown with us: Andre de Gooyert, Tullowit,
Alice Pozzi, Zak Morrill, Patricia Grace, Jose Braden,
and so many others. Cheers!
—Mike and Scott
00-FM.indd 5
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio vi
This page intentionally left blank
00-FM.indd 6
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
CONTENTS AT A GLANCE
Chapter 1
Risk Management .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Chapter 2
Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Chapter 3
Identity and Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
Chapter 4
Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Chapter 5
Securing Individual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Chapter 6
The Basic LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Chapter 7
Securing Wireless LANs .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Chapter 8
Securing Public Servers .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Chapter 9
Securing Dedicated Systems .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
Chapter 10
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Chapter 11
Protocols and Applications .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
Chapter 12
Testing Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
Chapter 13
Dealing with Incidents .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
Appendix A Exam Objective Map .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Appendix B About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
vii
00-FM.indd 7
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio viii
This page intentionally left blank
00-FM.indd 8
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
CONTENTS
Chapter 1
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
xxi
Risk Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 1-1: Defining Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Likelihood . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threat Actor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vulnerability and Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . Circling Back to the Risk Definition . . . . . . . . . . . . . . . . . . . Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1-2: Risk Management Concepts . . . . . . . . . . . . . . . . . . . . Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Risk Management Frameworks . . . . . . . . . . . . . . . . . . . . . . . Module 1-3: Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control Categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1-4: Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Risk Assessment Processes and Concepts . . . . . . . . . . . . . . . . Quantitative Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . Qualitative Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . Putting It All Together: Risk Analysis . . . . . . . . . . . . . . . . . . Risk Response . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1-5: Business Impact Analysis . . . . . . . . . . . . . . . . . . . . . . BIA Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Locating Critical Resources . . . . . . . . . . . . . . . . . . . . . . . . . . Calculating Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Calculating Downtime . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1-6: Data Security and Data Protection . . . . . . . . . . . . . . . Organizing Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Legal and Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Privacy Breaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
2
2
3
3
5
6
6
7
16
16
18
18
25
25
25
27
28
33
36
37
38
40
41
43
45
45
46
47
48
51
56
58
ix
00-FM.indd 9
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
x
Module 1-7: Personnel Risk and Policies . . . . . . . . . . . . . . . . . . . . . Hiring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Personnel Management Policies . . . . . . . . . . . . . . . . . . . . . . . Training . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Habits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Offboarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 1-8: Third-Party Risk and Policies . . . . . . . . . . . . . . . . . . . Third-Party Risk Management . . . . . . . . . . . . . . . . . . . . . . . Agreement Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Chapter 2
00-FM.indd 10
60
60
60
61
63
65
65
67
68
68
71
74
76
Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Module 2-1: Cryptography Basics . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Essential Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Early Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Cryptography Components . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Module 2-2: Cryptographic Methods . . . . . . . . . . . . . . . . . . . . . . . 90
Symmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Asymmetric Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Limitations in Symmetric vs. Asymmetric Cryptography . . . . 96
Hybrid Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
The Perfect Cryptosystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Module 2-3: Symmetric Cryptosystems . . . . . . . . . . . . . . . . . . . . . 98
DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
AES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Blowfish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Twofish . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
RC4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Summary of Symmetric Algorithm Characteristics . . . . . . . . 102
Module 2-4: Asymmetric Cryptosystems . . . . . . . . . . . . . . . . . . . . . 103
RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Diffie-Hellman . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
PGP/GPG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
ECC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
ElGamal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Module 2-5: Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Hashing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
SHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Contents
xi
Chapter 3
00-FM.indd 11
RIPEMD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 2-6: Digital Signatures and Certificates . . . . . . . . . . . . . . . Digital Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 2-7: Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . Keys, Algorithms, and Standards . . . . . . . . . . . . . . . . . . . . . . PKI Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital Certificates and PKI Structure . . . . . . . . . . . . . . . . . . Key Safety . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trust Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 2-8: Cryptographic Attacks . . . . . . . . . . . . . . . . . . . . . . . . Attack Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attackable Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Defending Password Storage . . . . . . . . . . . . . . . . . . . . . . . . . Other Attack Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 2-9: Other Cryptosystems . . . . . . . . . . . . . . . . . . . . . . . . . Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Quantum Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
110
110
111
113
120
121
123
124
131
132
133
133
135
137
145
146
148
149
149
150
150
152
Identity and Account Management . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 3-1: Understanding Authentication . . . . . . . . . . . . . . . . . . Identification and AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Identification and Authentication . . . . . . . . . . . . . . . . . . . . . Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 3-2: Authentication Methods and Access Controls . . . . . . . Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . Biometrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authorization and Access Control Schemes/Models . . . . . . . Module 3-3: Account Management . . . . . . . . . . . . . . . . . . . . . . . . . User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Account Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Account Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 3-4: Point-to-Point Authentication . . . . . . . . . . . . . . . . . . PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CHAP/MS-CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Remote Access Connection and Authentication Services . . . . 153
155
155
156
162
164
165
167
168
175
179
182
183
190
199
201
202
202
203
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xii
00-FM.indd 12
Module 3-5: Network Authentication . . . . . . . . . . . . . . . . . . . . . . . The Challenge of LAN Access Management . . . . . . . . . . . . . Microsoft Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LDAP and Secure LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 3-6: Identity Management Systems . . . . . . . . . . . . . . . . . . Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shared Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
205
207
210
211
212
213
214
216
Chapter 4
Tools of the Trade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 4-1: Operating System Utilities . . . . . . . . . . . . . . . . . . . . . Network Reconnaissance and Discovery . . . . . . . . . . . . . . . . File Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shell and Script Environments . . . . . . . . . . . . . . . . . . . . . . . Module 4-2: Network Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scanning Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scanning Targets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Scanner Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 4-3: Protocol Analyzers . . . . . . . . . . . . . . . . . . . . . . . . . . . Why Protocol Analyze? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 4-4: Monitoring Networks . . . . . . . . . . . . . . . . . . . . . . . . . Exploring Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Centralizing Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Information and Event Management . . . . . . . . . . . . Log File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
217
218
231
235
237
239
239
239
246
247
248
251
252
253
257
259
262
263
264
Chapter 5
Securing Individual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 5-1: Types of System Attacks . . . . . . . . . . . . . . . . . . . . . . . Attacking Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Driver Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Malicious Code or Script Execution . . . . . . . . . . . . . . . . . . . Module 5-2: Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cryptomalware/Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trojan Horse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Potentially Unwanted Programs . . . . . . . . . . . . . . . . . . . . . . . Bots/Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Logic Bomb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
269
270
276
277
279
280
281
282
283
283
285
286
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Contents
xiii
Chapter 6
00-FM.indd 13
Keylogger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . RAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rootkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Backdoor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 5-3: Cybersecurity Resilience . . . . . . . . . . . . . . . . . . . . . . . Non-persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 5-4: Securing Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . Physical Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securing the Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Securing Boot Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 5-5: Securing Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . Hardening Operating Systems . . . . . . . . . . . . . . . . . . . . . . . . Anti-malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Execution Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . File Integrity Monitors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Loss Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 5-6: System Recycling . . . . . . . . . . . . . . . . . . . . . . . . . . . . Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Purge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Destroy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
287
288
288
288
289
295
300
300
301
303
305
310
310
317
319
319
320
321
321
323
324
324
326
The Basic LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 6-1: Layer 2 LAN Attacks . . . . . . . . . . . . . . . . . . . . . . . . . ARP Poisoning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . MAC Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . MAC Cloning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 6-2: Organizing LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . Network Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Load Balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 6-3: Implementing Secure Network Designs . . . . . . . . . . . Securing the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet Connection Firewalls . . . . . . . . . . . . . . . . . . . . . . . . Securing Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 6-4: Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . How VPNs Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Early VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . TLS VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
327
328
330
332
333
334
335
338
342
343
343
347
354
357
358
360
360
361
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xiv
00-FM.indd 14
Module 6-5: Network-Based Intrusion Detection/Prevention . . . . . Detection vs. Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . Detecting Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Network-Based IDS/IPS . . . . . . . . . . . . . . . . . . Monitoring NIDS/NIPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . Endpoint Detection and Response . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
362
362
364
366
367
367
369
Chapter 7
Securing Wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 7-1: Networking with 802.11 . . . . . . . . . . . . . . . . . . . . . . Wireless Cryptographic Protocols . . . . . . . . . . . . . . . . . . . . . Wireless Authentication Protocols . . . . . . . . . . . . . . . . . . . . . Module 7-2: Attacking 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Survey/Stumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Capture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Attack Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Rogue Access Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Jamming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Packet Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Deauthentication Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . Near-Field Communication . . . . . . . . . . . . . . . . . . . . . . . . . . Replay Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WEP/WPA Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WPS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Peripherals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 7-3: Securing 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installation Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Posture Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
371
372
377
380
380
381
381
382
383
385
385
386
387
387
388
388
389
389
393
397
398
400
Chapter 8
Securing Public Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 8-1: Attacking and Defending Public Servers . . . . . . . . . . . Distributed Denial-of-Service . . . . . . . . . . . . . . . . . . . . . . . . Route Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 8-2: Virtualization Security . . . . . . . . . . . . . . . . . . . . . . . . Virtualization Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . Containers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Virtualization Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using Virtualization for Security . . . . . . . . . . . . . . . . . . . . . . 401
401
402
404
404
404
406
407
410
411
412
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Contents
xv
Module 8-3: Cloud Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . Let’s Talk Amazon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Deployment Models . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Architecture Models . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Growing Pains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 8-4: Securing the Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . Cloud Security Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unique Cloud Security Solutions . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
416
419
422
424
426
426
432
432
434
Securing Dedicated Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 9-1: Embedded, Specialized, and Mobile Systems . . . . . . . Embedded Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SCADA/ICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Specialized Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mobile Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 9-2: Connecting to Dedicated Systems . . . . . . . . . . . . . . . Common Communication Technologies . . . . . . . . . . . . . . . . IoT-Specific Communication Technologies . . . . . . . . . . . . . . Module 9-3: Security Constraints for Dedicated Systems . . . . . . . . Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Programming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 9-4: Implementing Secure Mobile Solutions . . . . . . . . . . . Mobile Device Management . . . . . . . . . . . . . . . . . . . . . . . . . Deployment Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inventory Control and Asset Tracking . . . . . . . . . . . . . . . . . . Application Management and Security . . . . . . . . . . . . . . . . . Encryption and Authentication . . . . . . . . . . . . . . . . . . . . . . . Enforcement and Monitoring for Device Security . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
436
436
439
440
441
447
448
448
451
453
453
453
455
456
458
459
462
466
467
468
475
477
Chapter 10 Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 10-1: Physical Security Controls . . . . . . . . . . . . . . . . . . . . Passive Defensive Systems and Perimeter Controls . . . . . . . . . Active Alert Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manned Defensive Systems . . . . . . . . . . . . . . . . . . . . . . . . . . Module 10-2: Environmental Controls . . . . . . . . . . . . . . . . . . . . . . EMI and RFI Shielding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fire Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HVAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
479
480
488
489
494
494
495
498
Chapter 9
00-FM.indd 15
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xvi
00-FM.indd 16
Temperature and Humidity Controls . . . . . . . . . . . . . . . . . . Hot and Cold Aisles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Environmental Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
499
500
500
502
Chapter 11 Secure Protocols and Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 11-1: Secure Internet Protocols . . . . . . . . . . . . . . . . . . . . . DNS Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . SRTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 11-2: Secure Web and E-mail . . . . . . . . . . . . . . . . . . . . . . . HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . HTTPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E-mail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 11-3: Web Application Attacks . . . . . . . . . . . . . . . . . . . . . Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Hijacking and Related Attacks . . . . . . . . . . . . . . . . . . . . . . . . Other Web Application Attacks . . . . . . . . . . . . . . . . . . . . . . . Module 11-4: Application Security . . . . . . . . . . . . . . . . . . . . . . . . . Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Code Quality and Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . Staging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Production . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Quality Assurance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Getting Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 11-5: Certificates in Security . . . . . . . . . . . . . . . . . . . . . . . Certificate Concepts and Components . . . . . . . . . . . . . . . . . PKI Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Online vs. Offline CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . PKI TLS Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Certificate Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Key Escrow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
504
505
506
507
508
509
509
509
510
513
517
517
520
523
526
527
535
537
537
538
538
542
542
542
545
547
548
552
554
554
556
Chapter12
557
557
558
559
562
Testing Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Module 12-1: Vulnerability Impact . . . . . . . . . . . . . . . . . . . . . . . . . Device/Hardware Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . Configuration Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . .
Management/Design Vulnerabilities . . . . . . . . . . . . . . . . . . . 20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Contents
xvii
00-FM.indd 17
Module 12-2: Social Engineering . . . . . . . . . . . . . . . . . . . . . . . . . . Social Engineering Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 12-3: Artificial Intelligence . . . . . . . . . . . . . . . . . . . . . . . . .
Understanding Artificial Intelligence . . . . . . . . . . . . . . . . . . . Machine Learning Essentials . . . . . . . . . . . . . . . . . . . . . . . . . OSINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adversarial Artificial Intelligence . . . . . . . . . . . . . . . . . . . . . . Module 12-4: Security Assessment . . . . . . . . . . . . . . . . . . . . . . . . . Threat Hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vulnerability Scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 12-5: Assessment Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . Protocol Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Vulnerability Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuration Compliance Scanner . . . . . . . . . . . . . . . . . . . . Penetration Testing with Metasploit . . . . . . . . . . . . . . . . . . . . Specific Tools Mentioned by CompTIA . . . . . . . . . . . . . . . . Interpreting Security Assessment Tool Results . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
564
567
570
577
577
577
578
579
579
580
581
584
590
591
591
593
594
594
595
596
597
599
Chapter 13 Dealing with Incidents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 13-1: Incident Response . . . . . . . . . . . . . . . . . . . . . . . . . . . Incident Response Concepts . . . . . . . . . . . . . . . . . . . . . . . . . Incident Response Procedures . . . . . . . . . . . . . . . . . . . . . . . . Scenarios: Mitigation During and After an Incident . . . . . . . Module 13-2: Digital Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . Digital Forensics Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . Data Volatility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Critical Forensics Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . Data Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Analyzing Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Module 13-3: Continuity of Operations and Disaster Recovery . . . Risk Management Best Practices . . . . . . . . . . . . . . . . . . . . . . Contingency Planning and Resilience . . . . . . . . . . . . . . . . . . Functional Recovery Plans . . . . . . . . . . . . . . . . . . . . . . . . . . . Backup and Restore Plans and Policies . . . . . . . . . . . . . . . . . . Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
601
602
604
617
620
620
623
627
632
635
637
637
641
643
645
657
659
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xviii
Appendix A Exam Objective Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Exam SY0-601 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
Appendix B About the Online Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Your Total Seminars Training Hub Account . . . . . . . . . . . . . . . . . . Privacy Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Single User License Terms and Conditions . . . . . . . . . . . . . . . . . . . TotalTester Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Other Book Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Video Training from Mike Meyers . . . . . . . . . . . . . . . . . . . . . TotalSim Simulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mike’s Cool Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
699
699
699
699
701
701
701
702
702
702
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
703
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 769
00-FM.indd 18
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
ACKNOWLEDGMENTS
In general, we’d like to thank our amazing teams at McGraw Hill and KnowledgeWorks
Global Ltd. for such excellent support and brilliant work editing, laying out, and publishing this edition. Special shout out to our co-workers at Total Seminars—Michael
Smyer, Dave Rush, and Travis Everett—for listening to us rant and providing excellent
feedback.
We’d like to acknowledge the many people who contributed their talents to make this
book possible:
To Tim Green, our acquisitions editor at McGraw Hill: Thank you for the steady
encouragement during this crazy year. You’re the best!
To Matt Walker, technical editor: Excellent working with you! Thanks for laughing
at our geeky jokes and sharing great stories.
To Bill McManus, copy editor: What an absolute delight to do this project with you!
Your efforts made this a much better book.
To Emily Walters, acquisitions coordinator at McGraw Hill: Thanks for the Friday
meetings and slightly menacing cat-on-lap petting. Way to keep us on track!
To Neelu Sahu, project manager at KnowledgeWorks Global Ltd.: Enjoyed working with you, Neelu. Hope the somewhat chaotic pacing wasn’t too stressful!
To Lisa McCoy, proofreader: Fabulous job, thanks!
To Ted Laux, indexer extraordinaire: Well done!
To KnowledgeWorks Global Ltd. compositors: The layout was excellent, thanks!
To Janet Walden, editorial supervisor at McGraw Hill: Great to work with you on
this project! Next time we’ll make a few extra changes in page proofs just for you!
To Tom Somers, production supervisor at McGraw Hill: Thanks for waving that
magic wand of yours and making so much happen as smoothly as possible.
xix
00-FM.indd 19
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio xx
This page intentionally left blank
00-FM.indd 20
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
INTRODUCTION
Most societies teem with a host of networked devices, from servers to smartphones, that
provide the backbone for much of modern life. People and companies use these devices
to produce and sell products and services, communicate around the globe, educate at
every level, and manage the mechanisms of governments everywhere. Networked devices
and the complex networks that interconnect them offer advances for humanity on par
with, or perhaps beyond, the Agricultural and Industrial Revolutions. That’s the good
news.
The bad news is the fact that reliance on these devices creates a security risk to the
resources placed on them. Networks can lose critical data and connections, both of which
equate to loss of energy, confidence, time, and money. To paraphrase a few words from
the American statesman, James Madison, if humans were angels, there’d be no need for
security professionals. But humans are at best negligent and at worst petty, vindictive,
and astoundingly creative in pursuit of your money and secrets.
Networked devices and the networks that interconnect them need security professionals to stand guard. The need for security professionals in information technology (IT) far
outstrips demand, and we assume that’s why you picked up this book. You see the trend
and want to take the first step to becoming an IT security professional by attaining the
acknowledged first security certification to get CompTIA Security+.
This introduction starts with an overview of the goals of security, to put a framework
around everything you’re going to learn. Second, we’ll discuss the CompTIA Security+
certification and look at exam details. Finally, this introduction details the overall structure of the book, providing a roadmap for studying for the exam.
Goals of Security
Traditional computer security theory balances among three critical elements: functionality, security, and the resources available to ensure both. From a functionality standpoint,
systems must function as people need them to function to process the data needed. Users
and other systems need to interface with systems and data seamlessly to get work done.
Don’t confuse functionality with free rein. Allowing users to do whatever they wish with
systems and data may result in loss, theft, or destruction of systems and data. Therefore,
functionality must balance with security.
From the security standpoint, however, increasing the levels of protection for systems
and data usually reduces functionality. Introducing security mechanisms and procedures
into the mix doesn’t always allow users to see or interact with data and systems the way
they would like. This usually means a reduction in functionality to some degree.
xxi
00-FM.indd 21
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xxii
Figure 1
Balancing functionality, security,
and resources
More
Functionality
Resources
Security
Less
To add another wrinkle, the resources expended toward functionality and security, and
the balance between them, are finite. No one has all the money or resources they need or
as much functionality or security as they want. Keep in mind, therefore, that the relationship between functionality and security is inversely proportional; that is to say, the more
security in place, the less functionality, and vice versa. Also, the fewer resources a person
or organization has, the less of either functionality or security they can afford. Figure 1
illustrates this careful balancing act among the three elements of functionality, security,
and resources.
Security theory follows three goals, widely considered the foundations of the IT
security trade: confidentiality, integrity, and availability. Security professionals work to
achieve these goals in every security program and technology. These three goals inform
all the data and the systems that process it. The three goals of security are called the
CIA triad. Figure 2 illustrates the three goals of confidentiality, integrity, and availability.
NOTE The CIA triad is put into practice through various security
mechanisms and controls. Every security technique, practice, and
mechanism put into place to protect systems and data relates in some
fashion to ensuring confidentiality, integrity, and availability.
Confidentiality
Confidentiality tries to keep unauthorized people from accessing, seeing, reading, or
interacting with systems and data. Confidentiality is a characteristic met by keeping
data secret from people who aren’t allowed to have it or interact with it in any way, while
making sure that only those people who do have the right to access it can do so. Systems
achieve confidentiality through various means, including the use of permissions to data,
encryption, and so on.
00-FM.indd 22
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Introduction
xxiii
Figure 2
The CIA triad
Confidentiality
Systems
and
Data
Integrity
Availability
Integrity
Meeting the goal of integrity requires maintaining data and systems in a pristine, unaltered state when they are stored, transmitted, processed, and received, unless the alteration is intended due to normal processing. In other words, there should be no unauthorized modification, alteration, creation, or deletion of data. Any changes to data must be
done only as part of authorized transformations in normal use and processing. Integrity
can be maintained by the use of a variety of checks and other mechanisms, including data
checksums and comparison with known or computed data values.
Availability
Maintaining availability means ensuring that systems and data are available for authorized users to perform authorized tasks, whenever they need them. Availability bridges
security and functionality, because it ensures that users have a secure, functional system
at their immediate disposal. An extremely secure system that’s not functional is not available in practice. Availability is ensured in various ways, including system redundancy,
data backups, business continuity, and other means.
During the course of your study, keep in mind the overall goals in IT security. First,
balance three critical elements: functionality, security, and the resources available to ensure both. Second, focus on the goals of the CIA triad—confidentiality, integrity, and
availability—when implementing, reviewing, managing, or troubleshooting network
and system security. The book returns to these themes many times, tying new pieces of
knowledge to this framework.
00-FM.indd 23
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xxiv
CompTIA Security+ Certification
The CompTIA Security+ certification has earned the reputation as the first step for
anyone pursuing a career in the highly complex, highly convoluted, and still very much
evolving world of IT security. Let’s start with a description of CompTIA, then look at
the specifics of the certification.
CompTIA
The Computing Technology Industry Association (CompTIA) is a nonprofit, industrywide organization of just about everyone in the IT industry. The different aspects of
CompTIA’s mission include certification, education, and public policy.
As of this writing, CompTIA offers 13 vendor-neutral certifications covering a wide
range of information technology areas. Examples of some of these areas and certifications
include CompTIA Linux+ (focusing on the Linux operating system), CompTIA A+
(which focuses on computer technology support fundamentals), CompTIA Network+
(covering different network technologies), and, of course, CompTIA Security+.
CompTIA certifications are considered the de facto standard in the industry in some
areas. Because they are vendor neutral, almost all CompTIA certifications cover basic
knowledge of fundamental concepts of a particular aspect of IT. CompTIA works hard
to develop exams that accurately validate knowledge that professionals must have in that
area. This enables employers and others to be confident that the individual’s knowledge
meets a minimum level of skill, standardized across the industry.
The CompTIA Security+ Exam
Let’s state up front that CompTIA does not have any requirements for individuals who
want to take the CompTIA Security+ exam. There are no prerequisites for certification
or definitive requirements for years of experience. CompTIA does have several
recommendations, on the other hand, including knowledge that might be validated by
other CompTIA certifications such as the CompTIA Network+ certification. In other
words, the level of networking knowledge you are expected to have before you take the
CompTIA Security+ exam is the level that you would have after successfully completing
the CompTIA Network+ certification. Here are CompTIA’s recommendations:
•• Network+ certification
•• Two years of experience in IT systems administration, with a focus on security
You should have experience in several areas, such as networking knowledge, basic
information security concepts, hardware, software (both operating systems and applications), cryptography, physical security, and so on. The next few sections cover specific
exam objectives that you need to know.
00-FM.indd 24
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Introduction
xxv
The following table shows the five domains in the CompTIA Security+ Certification
Exam Objectives document for exam SY0-601. Each of these domains has very detailed
exam objectives.
Domain
Name
Percent of Exam
1.0
Threats, Attacks, and Vulnerabilities
24
2.0
Architecture and Design
21
3.0
Implementation
25
4.0
Operations and Incident Response
16
5.0
Governance, Risk, and Compliance
14
Threats, Attacks, and Vulnerabilities
Domain 1.0 is all about the attacks, from malware to application attacks. It’s critical you
know your keyloggers from your RATs and your buffer overflows from your cross-site
scripting. In addition, you should recognize the threat actors, from script kiddies to
evil governments to incompetent users. Along with the threats and attacks, you should
understand different types of vulnerabilities that enable these attacks to thrive and the
two main tools you use to minimize those vulnerabilities, security assessments, and penetration testing.
Architecture and Design
Domain 2.0 explores a lot of topics under its benign-sounding title. You’re expected
to explain important security concepts, such as data protection, hashing, and site resiliency. The domain covers cloud models, such as infrastructure as a service (IaaS); you’ll
need to summarize containers, infrastructure as code, and virtualization. In addition,
this domain covers the design of secure applications and security for embedded systems.
Domain 2.0 requires you to know how to use security devices, protocols, and tools. This
domain covers the frameworks that enable secure IT, the design concepts such as defensein-depth, and benchmarks used to measure security. This domain covers technologies to
defend networks, such as VLANs, screened subnets, and wireless designs. In addition,
this domain covers the design of secure applications and security for embedded systems.
Domain 2.0 also covers physical security controls, such as fencing and fire prevention.
Finally, domain 2.0 expects knowledge of cryptographic concepts. You’ll get questions
on symmetric versus asymmetric cryptography, for example. The objectives explore public key encryption, keys, salting, hashing, and more.
Implementation
The key with domain 3.0 is in the name, “Implementation.” Concepts discussed in
other domains get scenario-level in this domain. Domain 3.0 goes into great detail about
authentication, authorization, and accounting. It expects you to know and implement
authentication and the many identity and access services such as LDAP and Kerberos.
00-FM.indd 25
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Mike Meyers’ CompTIA Security+ Certification Guide
xxvi
The domain addresses authorization via user groups and accounts and the tools and
methods used to control them. You’ll need to know how to implement secure wireless
and mobile solutions, plus apply cybersecurity solutions to cloud computing. Finally, the
domain expects you to understand how to implement public key infrastructure.
Operations and Incident Response
Domain 4.0 explores organizational security, such as incident response policies and procedures. You’ll need to know mitigation techniques and controls, plus practical forensic
practices, such as how to acquire and handle evidence.
Governance, Risk, and Compliance
Domain 5.0 defines critical concepts in risk management, such as events, exposures,
incidents, and vulnerability. You’re expected to know risk-related tools, such as business
impact analysis, assessments, incident response, and disaster recovery/business continuity. You’ll need to understand the regulations, standards, and frameworks that impact
operational security and explain policies that organizations use to implement security.
Finally, the domain expects you to know how privacy and sensitive data use impacts
security.
Getting Certified
This book covers everything you’ll need to know for CompTIA’s Security+ certification
exam. The book is written in a modular fashion, with short, concise modules within
each chapter devoted to specific topics and areas you’ll need to master for the exam. Each
module covers specific objectives and details for the exam, as defined by CompTIA.
We’ve arranged these objectives in a manner that makes fairly logical sense from a learning perspective, and we think you’ll find that arrangement will help you in learning the
material.
NOTE Throughout the book, you’ll see helpful Notes and Exam Tips. These
elements offer insight on how the concepts you’ll study apply in the real
world. Often, they may give you a bit more information on a topic than what
is covered in the text or expected on the exam. And they may also be helpful
in pointing out an area you need to focus on or important topics that you
may see on the test.
End of Chapter Questions
At the end of each chapter you’ll find questions that will test your knowledge and understanding of the concepts discussed in the modules. The questions also include an answer
key, with explanations of the correct answers.
00-FM.indd 26
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM
Introduction
xxvii
Using the Exam Objective Map
The Exam Objective map included in Appendix A has been constructed to help you
cross-reference the official exam objectives from CompTIA with the relevant coverage in
the book. References have been provided for the exam objectives exactly as CompTIA
has presented them—the module that covers that objective, the chapter, and a page reference are included.
Online Resources
The online resources that accompany this book feature the TotalTester exam software
that enables you to generate a complete practice exam or quizzes by chapter or by exam
domain. See Appendix B for more information.
Study Well and Live Better
We enjoyed writing this book and hope you will enjoy reading it as well. Good luck in
your studies and good luck on the CompTIA Security+ exam. If you have comments,
questions, or suggestions, tag us:
Mike: desweds@protonmail.com
Scott: jernigan.scott@gmail.com
00-FM.indd 27
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / FM / Blind Folio xxviii
This page intentionally left blank
00-FM.indd 28
20/03/21 7:04 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
1
CHAPTER
Risk Management
“It seems to me that if there were any logic to our language,
trust would be a four-letter word.”
—Joel Goodson, Risky Business
IT security professionals walk a tight line between keeping systems safe from inside and
outside threats and making resources available to people who need them. Perfectly secure
systems would allow no access, right? If attackers can’t access the systems, they can’t break
or steal anything. But such “perfect” security clearly blocks legitimate users from using
resources to produce anything of value. Conversely, a wide-open system provides great
access for creativity and production, but also provides access to malicious people.
Security professionals provide a space in between, with enough security to stop attackers,
yet enough access to enable good people to create and produce. With risk management,
security folks identify and categorize risks and then systematically put controls in place
to manage those risks and thus minimize their impact on the organization. As a science,
risk management uses statistics, facts, scans, and numbers to align a vision, a design for
the organization. As an art, security professionals craft a plan for risk management that
people will buy into and actually follow.
This chapter tours IT risk management in eight modules:
•
•
•
•
•
•
•
•
Defining Risk
Risk Management Concepts
Security Controls
Risk Assessment
Business Impact Analysis
Data Security and Data Protection
Personnel Risk and Policies
Third-Party Risk and Policies
1
01-ch01.indd 1
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
2
Module 1-1: Defining Risk
This module covers the following CompTIA Security+ objectives:
• 1.2 Given a scenario, analyze potential indicators to determine the
type of attack
• 1.5 Explain different threat actors, vectors, and intelligence sources
In IT security, risk implies a lot more than the term means in standard English. Let’s
start with a jargon-filled definition, then examine each term in the definition. We’ll
review the definition with some examples at the end of the module.
Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a
threat against an IT system asset.
This definition of risk includes five jargon terms that require further explanation:
•
•
•
•
•
Asset
Likelihood
Threat actor
Vulnerability
Threat
Defining each jargon word or phrase relies at least a little on understanding one or
more of the other jargon phrases. We’ll cover these next, and then explore two related
topics, vectors and threat intelligence, to round out the concept of risk. Let’s do this.
Asset
An asset is a part of an IT infrastructure that has value. You can measure value either
tangibly or intangibly. A gateway router to the Internet is an example of an asset with
tangible value. If it fails, you can easily calculate the cost to replace the router.
What if that same router is the gateway to an in-house Web server? If that Web server
is no longer accessible to your customers, they’re not going to be happy and might
go somewhere else due to lack of good faith or goodwill. Good faith doesn’t have a
measurable value; it’s an intangible asset.
Here are a few more examples of assets:
•
•
•
•
•
01-ch01.indd 2
Servers The computers that offer shared resources
Workstations The computers that users need to do their job
Applications Task-specific programs an organization needs to operate
Data The stored, proprietary information an organization uses
Personnel The people who work in an organization
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
3
• Wireless access Access to the network that doesn’t require plugging into an
Ethernet port
• Internet services The public- or private-facing resources an organization provides
to customers, vendors, or personnel via the Web or other Internet applications
We will cover assets in much greater detail later in this chapter.
Likelihood
Likelihood means the probability—over a defined period of time—of someone or something damaging assets. Likelihood is generally discussed in a comparative nature. Here
are a couple of examples:
• The company expects many attacks on its Web server daily, but few on its internal
servers. The potential for a successful attack on the Web server is much more likely
than on internal servers, and thus the controls—the things put in place to protect
the systems—would vary a lot.
• Hard drives will likely fail after three years, with the probability of failure rising
over time. The drive could fail right out of the box, but the likelihood of failure of
a drive under three years old is much lower than a drive of three or more years old.
NOTE You will also hear the term probability as a synonym for likelihood.
Threat Actor
A threat actor is anyone or anything that has the motive and resources to attack another
enterprise’s IT infrastructure. Threat actors manifest in many forms. Many folks think of
a threat actor as a malicious person, such as a classic hacker bent on accessing corporate
secrets. But a threat actor can take different guises as well, such as programs automated
to attack at a specific date or time. A threat actor could be a respected member of an
organization who has just enough access to the IT infrastructure but lacks the knowledge
of what not to do. The word actor here simply means someone or something that can
initiate a negative event.
The CompTIA Security+ exam covers nine specific types of threat actor:
•
•
•
•
•
•
01-ch01.indd 3
Hackers
Hacktivists
Script kiddies
Insiders
Competitors
Shadow IT
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
4
• Criminal syndicates
• State actors
• Advanced persistent threat
Hackers—and more specifically security hackers—have the technical skills to gain
access to computer systems. White hat hackers use their skills for good, checking for
vulnerabilities and working with the full consent of the target. The malicious black hat
hackers, in contrast, do not have the consent of the target. Gray hat hackers fall somewhere
in the middle. They’re rarely malicious, but usually do not have the target’s consent.
EXAM TIP The CompTIA Security+ objectives use bland and nonstandard
descriptive terms for hacker types. Be prepared for either term to describe/
label a hacker.
—White hat = Authorized
—Black hat = Unauthorized
—Gray hat = Semi-authorized
A hacktivist is a hacker and an activist. These threat actors have some form of agenda,
often political or fueled by a sense of injustice. Hacktivism is often associated with
sophisticated yet loosely associated organizations, such as Anonymous.
Free Willy!
Save the whales!
Script kiddies are poorly skilled threat actors who take advantage of relatively easyto-use open-source attacking tools. They get the derogatory moniker because they don’t
have skills that accomplished hackers possess. Their lack of sophistication makes them
notoriously easy to stop, most of the time.
Insiders (or insider threats) are people within an organization. As part of the targeted
organization, these threat actors have substantial physical access and usually have user
accounts that give them access to assets. In fact, the absolute best way to attack an
organization is to be hired by them. You get hired; they hand you the keys to the
kingdom; you’re in. Insiders are often motivated by revenge or greed, but that’s not
universal. Some folks just do stupid things that cause all sorts of havoc.
01-ch01.indd 4
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
5
Shadow IT describes information technology systems installed without the knowledge
or consent of the main IT department. Almost never based on malicious intent, shadow
IT springs up when users need to work around limitations imposed by IT departments
for purposes of security, limitations that hamper their jobs.
Isn’t it interesting that one attribute of the two previous threat actors is that they are
inside the organization? The rest of the threat actors are external to the organization.
EXAM TIP Take the time to recognize the attributes of threat actors:
internal/external, intent/motivation, resources/funding, level of
sophistication/capability.
Competitors are outside organizations that try to gain access to the same customers as
the targeted company. Competitors, by definition in the same business, know precisely
the type of secure information they want. Organizations practice competitive intelligence
gathering to get information about competitors, their customers, their business practices,
and so on. The information gathered can help shape business practices.
Criminal syndicates use extra-legal methods to gain access to resources. Also known
as organized crime, criminal syndicates are a huge problem today. These groups are
sophisticated, are well funded, and cause tremendous damage to vulnerable systems
worldwide to make money.
State actors—or nation states—refers to government-directed attacks, such as the
United States sending spies into Russia. Whereas criminal syndicates commonly use
threats specifically to make money, state actors take advantage of vulnerabilities to acquire
intelligence. Nation states have the resources—people and money—to collect open-source
intelligence (OSINT) successfully—information from media (newspapers, television),
public government reports, professional and academic publications, and so forth.
State actors are easily the best funded and most sophisticated of all threat actors. State
actors often use advanced persistent threats (APTs), where a threat actor gets long-term
control of a compromised system, continually looking for new data to steal.
NOTE Many state actors use criminal syndicates to conduct cyberattacks
against other nation states.
Vulnerability and Threat
The terms vulnerability and threat go hand-in-hand, so it makes sense to talk about both
at the same time. A vulnerability is a weakness inherent in an asset that leaves it open
to a threat. A threat is an action a threat actor can use against a vulnerability to create a
negative effect.
Vulnerabilities and their associated threats exist at every level of an organization. Not
changing the default password on a router is a vulnerability; someone taking control of
your router by using the default password is the threat. Giving a user full control to a
01-ch01.indd 5
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
6
shared folder (when that user does not need nor should have full control) is a vulnerability.
That same user having the capability to delete every file in that folder is a threat.
Hmm . . . I wonder
what would happen if
I pressed [Delete]?
Oh no!
Threats do not have to originate only from people or organizations. Forces of nature
like earthquakes and hurricanes (a big deal here in Houston, Texas) can also be threats.
As you might imagine, dealing with threats by minimizing vulnerabilities is a core
component of risk management. This chapter will develop this concept in detail.
NOTE You will see two other terms associated with the jargon phrases
covered in this section, attack and incident. An attack is when a threat actor
actively attempts to take advantage of a vulnerability. When the target
recognizes an attack, it is called an incident. Both attacks and incidents go
beyond the concept of risk and are covered in Chapter 13.
Circling Back to the Risk Definition
Now that we have explored each jargon term in some detail, let’s look at the definition of
risk again and follow it with an example.
Risk is the likelihood of a threat actor taking advantage of a vulnerability by using a
threat against an IT system asset.
Here’s an example of a risk:
There’s a 15 percent chance in the next month that Sally the hacktivist will guess correctly
John’s password on the important company server to gain access to secret documents.
The likelihood is 15 percent over the next month. The threat actor is Sally the hacktivist.
John’s lame password is a vulnerability; the threat is that Sally will get that password and
use it to access the server. The assets are both the server and the secret documents. Got
it? Let’s move on.
Vectors
Threat actors use a variety of attack vectors—pathways to gain access to infrastructure—
to carry out attacks. In the olden days, threat actors used floppy disks or optical media
01-ch01.indd 6
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
7
as vectors to install malware or tools. Today, the only commonly used removable media
are USB thumb drives, the vector of choice for a threat actor who has physical access to
a target system. Other attack vectors include the classic “hacker gets into your network
through your router” (a.k.a. direct access), the ubiquitous vector of wireless networks
(802.11, Bluetooth, cellular), and the relatively new cloud vector.
Don’t limit yourself to thinking networking when you consider vectors. Almost any
application that transfers information between systems might be a vector. Threat actors
can use e-mail, social media, conferencing, and even shared document applications as
vectors for an attack.
Smartphones and other mobile devices and the Internet of Things (IoT) offer
serious and growing attack vectors for modern organizations. Just about everyone has
a smartphone with sophisticated recording—video and sound—devices built in, plus
always-on connectivity to the cellular network and the Internet. Any rogue or buggy app
can create a pathway into a network. IoT devices controllable from outside the network
also provide a point of entry to the network. It’s a brave new world that attackers will try
very hard to exploit.
The infamous Stuxnet worm that disrupted the Iranian nuclear program back in 2010
used a supply-chain vector. Threat actors (almost certainly the United States and Israel)
infected printers with this worm that were then purchased by the Iranian government.
This is a brutal example of a supply-chain attack.
Threat Intelligence
Cybersecurity professionals in organizations maintain and update information about
past, current, and potential threats to the organization. This collection of information,
called threat intelligence, helps those security professionals prepare for—and hopefully
prevent—attacks on the organization.
Moreover, most security folks share information about vulnerabilities and associated
threats with other professionals in the field. It’s like one big, highly paranoid family
out there!
Sources for threat intelligence come from many places. Dedicated threat intelligence
sources—such as vulnerability databases available on the Internet—provide a wealth of
information, of course. But so do what CompTIA calls research sources—things like
academic journals and social media. Security professionals dive into all of these sources
to build their threat intelligence.
This section explores the types of sources available for threat intelligence gathering
and provides examples. This is not an exhaustive list of specific sources—impossible and
instantly outdated—but a guide to the types of sources. We’ll look at dedicated threat
intelligence sources, then follow with research sources.
Threat Intelligence Sources
Dedicated threat intelligence sources enable security professionals to research potential threats to their organizations and share threats they discover with their peers. These
sources reveal the past and current threats, explore potential threats by defining characteristics or signature types, and much more.
01-ch01.indd 7
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
8
This section explores nine dedicated threat intelligence sources:
•
•
•
•
•
•
•
•
•
OSINT
Public/private information-sharing centers
Dark Web
Indicators of compromise
Adversary tactics, techniques, and procedures
Predictive analysis
Threat maps
File/code repositories
Vulnerability databases
OSINT We discussed open-source intelligence (OSINT) sources earlier in this module.
This category includes information gathered from media (newspapers, television), public government reports, professional and academic publications, and so forth. Security
professionals rely heavily on OSINT for the big picture or the framework for the picture
that can then get more specific in terms of nonpublic information layers.
Public/Private Information-Sharing Centers Motivated by the lack of coordinated
information sharing between different federal organization after 9/11, the US government
began a series of legislation establishing information-sharing centers, more commonly called
Information Sharing and Analysis Centers (ISACs). Originally designed as governmentbased public entities just in the United States, most countries now have public ISACs as
well as many private ISACs. ISACs communicate via Automated Indicator Sharing (AIS)
tools to update each other’s databases automatically.
The US Department of Homeland Security (DHS) sponsors several specifications
for facilitating cybersecurity information sharing. Trusted Automated eXchange of
Intelligence Information (TAXII) enables information sharing through services and
message exchanges. TAXII provides transport for threat information exchange. Structured
Threat Information eXpression (STIX) enables communication among organizations by
providing a common language to represent information. Cyber Observable eXpression
(CybOX) provides standardized specifications for communicating about cybersecurity
phenomenon and elements, from malware types to event logging. DHS has made these
specifications available globally for free.
EXAM TIP You might see a question on the CompTIA Security+ exam about
DHS-sponsored specifications for cybersecurity information sharing. Only
TAXII and STIX are in the objectives, though. CybOX is not mentioned.
Dark Web The Dark Web refers to Internet sites that are inaccessible without using
specific applications such as the Tor network. Dark Web sites run the gamut from
illegal drug sales to terrorist groups to interesting puzzles, with just about everything
01-ch01.indd 8
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
9
Figure 1-1 A sketchy site on the Dark Web
in between (Figure 1-1). Dark Web sites are “dark” because search engines, like Google,
don’t index them. You can’t find these sites with a typical Internet search, in other words,
but they function just like any other Web site.
The Dark Web can provide a lot of important information, especially about criminal
activity through sting operations conducted by law enforcement agents posing as Dark
Web site visitors interested in engaging in illegal transactions. Plus, a lot of Dark Web
sites offer highly entertaining, completely legal content. It’s the Wild West, so take care
if (when) you venture in.
Indicators of Compromise It’s almost impossible for a threat actor to attack a system
and not leave behind clues of the actor’s presence. An IT security person must recognize
the artifact of an intrusion, known as an indicator of compromise (IoC). IoCs take on
many forms. A sudden increase in outgoing network traffic, malware signatures, strange
changes in file permissions—all of these are examples of IoCs. IoCs feature as key
evidence collected in forensic investigations.
Recognizing IoCs enables cybersecurity professionals to monitor networks and provide
threat monitoring tools as threat feeds—real-time data streams to recognize threats. Threat
feeds work with internal networks as well as outside networks.
Adversary Tactics, Techniques, and Procedures The term adversary tactics,
techniques, and procedures (TTP) describes the actions of threat actors to gain access to
01-ch01.indd 9
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
10
your infrastructure. A tactic is the goal of the attacker, such as to gain initial access to
a network or system. A technique is how the attacker implements that tactic, such as
using a valid account or finding a weakness in your supply chain to gain initial access. A
procedure is precisely how the attacker performs the technique; for example, watching a
user’s keyboard as the user enters an account password.
The MITRE ATT&CK framework incorporates TTP, breaking tactics into a dozen
or so categories and providing common techniques associated with those tactics. Check
it out here: https://attack.mitre.org.
EXAM TIP CompTIA places threat feeds and TTP as types of research sources,
but many researchers consider them part of dedicated threat intelligence
sources. Either way, the key for the exam is that both sources enable you to
enhance threat intelligence.
Predictive Analysis Every IT security professional could use a crystal ball enabling
him or her to know an incident is about to take place. That’s the world of predictive
analysis: using software, often artificial intelligence, to look for trends to anticipate any
upcoming problems. Predictive analysis isn’t perfect for every aspect of IT security, but
for issues like hardware failure prediction and network loads, predictive analysis is a
powerful tool.
NOTE Check out the Predictive Analytics portal at CIO for the latest news on
the subject: https://www.cio.com/category/predictive-analytics/.
Threat Maps Threat maps are graphical representations of the geographical source and
target of attacks (Figure 1-2). Threat maps are certainly pretty, but they aren’t real time
and they lack any form of deep detail about the attacks. They work well for presentations,
especially to show broader trends.
File/Code Repositories A repository is a storage area for data files or code. Unlike
archive data, repository data/code is stored in such a way that the data/code is sorted
or indexed based on certain information pertinent to that data or code. Log files for an
entire network over a certain number of years is one example of a file repository. Code
repositories are a different matter. These are used by developers to produce and control
code development. It’s rare to find anything written these days that doesn’t use a code
repository like GitLab (Figure 1-3).
EXAM TIP CompTIA lumps file and code repositories into a single term,
file/code repositories.
Vulnerability Databases The IT industry aggressively looks for vulnerabilities and
their associated threats. Many governments and organizations host vulnerability databases,
01-ch01.indd 10
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
11
Figure 1-2 Cyber Threat Map from FireEye
Figure 1-3 GitLab
01-ch01.indd 11
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
12
Figure 1-4 NIST National Vulnerability Database
collections of all the known problem areas or weaknesses in deployed software. One of
the most important vulnerability databases in the United States is the National Institute
of Standards and Technology’s National Vulnerability Database (Figure 1-4).
Another great source for vulnerabilities is the Common Vulnerabilities and Exposures
(CVE) list provided by MITRE Corporation: https://cve.mitre.org.
Also, check out the open-source, community-driven vulnerability database, VULDB:
https://vuldb.com.
There are a lot more vulnerability databases out there, but these three should get you
started.
NOTE CompTIA’s division between research sources and threat intelligence
sources is somewhat arbitrary. In practice, these two areas overlap.
01-ch01.indd 12
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
13
Research Sources
Research sources aren’t devoted exclusively to the idea of threat intelligence, but they’re
always good places to look for problems in a more generic way. Whether you’re just
checking a vendor forum or chatting at a conference, if security issues are out there,
they’re always a hot topic. This section looks at seven common research sources:
•
•
•
•
•
•
•
Vendor Web sites
Vulnerability feeds
Conferences
Academic journals
Requests for comments
Local industry groups
Social media
If you want to know anything about a product, go directly to the vendor Web site to do
some good research (Figure 1-5). Who else knows more about a product (hopefully) than
the vendor who makes or sells it? Find a support forum and dig in!
If you want to stay on the bleeding edge of vulnerabilities and you want them basically
delivered to you, vulnerability feeds make your research easy (easier) by delivering RSS
feeds, tweets, social media posts, or other methods to let you see what’s out there. There
are hundreds of these types of feeds. The NVD, mentioned earlier, has a great feed.
Get out there and hit some conferences! There are plenty of great conferences at the
regional, national, and international level. Every IT security person should make a trip
to the famous Black Hat conference, held annually in Las Vegas and in other locations
internationally (such as Black Hat Europe and Black Hat Asia).
Reading academic journals is the ultimate egghead research path, but many
vulnerabilities are first brought to public attention using journals. The only challenge to
reading about vulnerabilities in academic journals is that the articles often only discuss a
theoretical vulnerability without showing how to do it (in many cases, someone usually
does create a practical attack after an article is published).
Requests for comments (RFCs) started as the original ARPANET documents that
literally defined the Internet. While this is still true, RFCs evolved to cover every aspect
of TCP/IP communication and are issued by Internet Engineering Task Force (IETF),
the Internet Research Task Force (IRTF), and the Internet Architecture Board (IAB). If
you want the gritty details on any technology that is part of TCP/IP communications,
RFCs are the place to go (Figure 1-6). All RFCs are public and can be accessed via www
.rfc-editor.org.
Many security issues are industry specific, so joining local industry groups is almost
always the best way to connect with the folks who deal with similar issues in your industry.
These are often the only reliable source for industry-specific or closed/proprietary
information. Search in your area for a local Information Systems Security Association
International (ISSA) chapter. They’re super good: https://issa.org.
01-ch01.indd 13
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
14
Figure 1-5 Advanced networking device manufacturer Juniper’s support forums
Virtually every company or organization that provides hardware, software, services, or
applications has some form of bug bounty program. These programs reward people who
report vulnerabilities with money, swag, and acclaim (Figure 1-7). Before you get too
excited and start hacking your favorite (fill in the blank), know that all of these programs
have very specific scopes and parameters. Going beyond the scope could get you in
serious legal trouble. Look before you leap! And get permission before you start.
Social media, such as Twitter and Reddit, provide a wealth of threat intelligence sources.
Numerous Twitter feeds are dedicated to cybersecurity. Check out @Dejan_Kosutic—
for hourly updates. The r/threatintel subreddit, while not quite as hyperactive as the
Twitter feeds, has some great information as well. IT security professionals use a lot of
tools to combat risk. These tools get lumped together under the term “risk management.”
Primarily, the tools reduce the impact of—mitigate—threats posed to an organization.
Module 1-2 explores risk management concepts; later modules expand on the toolsets
available. Let’s leave Module 1-1 with a definition of the job of an IT security professional:
IT security professionals implement risk management techniques and practices to
mitigate threats to their organizations.
01-ch01.indd 14
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-1: Defining Risk
15
Figure 1-6 RFC for HTTPS
Figure 1-7 Facebook vulnerability reporting
01-ch01.indd 15
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
16
Module 1-2: Risk Management Concepts
This module covers the following CompTIA Security+ objectives:
• 5.2 Explain the importance of applicable regulations, standards, or
frameworks that impact organizational security posture
• 5.3 Explain the importance of policies to organizational security
Module 1-1 ended with a pithy job description: IT security professionals implement
risk management techniques and practices to mitigate threats to their organizations. To get
to the “implement” stage requires knowledge, naturally, and the term “risk management”
is loaded with meaning. This module explores four aspects of risk management:
infrastructure, security controls, risk management frameworks, and industry-standard
frameworks and reference architectures. Later modules build on this information to get
you to the “implement” step.
The term security posture (or cybersecurity posture) refers to the security status of
every aspect of an organization. That includes the security of networks, systems,
physical property, and intellectual property, plus all the systems, policies, and controls
that implement that security. Security posture includes external entities that affect the
organization, such as partners, vendors, and the supply chain. This module takes some
of the theory and concepts from Module 1-1 and begins the journey to understanding
the security posture.
Infrastructure
In IT risk management, the term infrastructure applies to just about every aspect of an
organization, from the organization itself to its computers, networks, employees, physical security, and sometimes third-party access.
Organization
At its most basic, an organization is who you work for: your company, your corporation,
your nonprofit, your governmental department. These are good potential examples of an
organization, but in some cases, you might need more details. A single organization, for
example, might look like a collection of smaller organizations in terms of risk management (Figure 1-8).
The big difference here is how autonomous your IT management is in relation to
the overall organization. The more decisions the main organization lets a smaller group
handle, the more the smaller group should look at itself as an organization. A smaller
organization might be a single physical location in a different city or perhaps a different
country. It might be a division of a corporation, or a regional governmental agency.
NOTE A quick way to determine the scope of any IT infrastructure is to
identify the bigwigs. A single IT infrastructure should never have more than
one chief security officer, for example.
01-ch01.indd 16
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-2: Risk Management Concepts
17
Figure 1-8
What’s your
organization?
Big Organization
Physically
Separate
Subdivisions
Functionally
Separate
Subdivisions
Separate
Security
Subdivisions
Separate
Legal Subdivisions
Systems
Computers and network equipment are part of an IT infrastructure, but there are many
more components. People matter, such as IT managers, IT techs, human resources, chief
security officer, chief information officer, and legal staff; even individual users are part of
the IT infrastructure. See Figure 1-9.
Physical Security
Physical security is also an important part of an IT infrastructure. Fences, cameras, and
guards protect your infrastructure just as well as they protect the rest of your organization. We’ll cover physical security in Chapter 7, Module 7-8.
Third-Party Access
Third parties that your organization contracts with are part of your IT infrastructure.
Does your organization have an intranet that enables suppliers to access your equipment?
Then those suppliers are part of your IT infrastructure. Have a maintenance contract
on all your laser printers? There’s another part of your infrastructure. The company that
hosts all your Web servers? Yes, they are part of your IT infrastructure as well. We’ll cover
third-party access in Module 1-8.
Dating
Habits
Arrest
Records
Lab
Results
People
Data
Equipment
Figure 1-9 We are your infrastructure.
01-ch01.indd 17
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
18
Security Controls
The action of strengthening a vulnerability to reduce or eliminate the threat is called a
security control. A security control is a directed action you place on some part of your
infrastructure. Security controls don’t say how to perform the steps needed to mitigate a
threat, only that they must be performed.
Here is an example of a security control in the NIST Special Publication 800-53
(Rev. 4).
IA-5 Authenticator Management
Control Description
The organization manages information system authenticators by:
a. Verifying, as part of the initial authenticator distribution, the identity of the
individual, group, role, or device receiving the authenticator;
b. Establishing initial authenticator content for authenticators defined by the
organization;
c. Ensuring that authenticators have sufficient strength of mechanism for their
intended use;
Plus about seven other points that collectively make up the security control.
You don’t have to know what all of that means yet, but do note that the controls are
guidelines, not specific implementation steps. Steps required to implement the controls
will vary among operating systems and network systems. The bottom line for your job
as a security professional is to locate vulnerabilities and apply security controls. It’s what
we do.
NOTE The security control listed here comes from the NIST NVD in case you
want to look it up: https://nvd.nist.gov/800-53/Rev4/control/IA-5.
As you might imagine, the typical infrastructure probably has thousands, if not tens
of thousands, of security controls that need to be applied. How does a lone IT security
pro create this list of controls? The answer is, you don’t. You use a bit of magic called a
risk management framework.
Risk Management Frameworks
A framework is a description of a complex process, concentrating on major steps and
the flows between the steps. A risk management framework (RMF) describes the major
steps and flows of the complex process of applying security controls in an organized and
controlled fashion.
01-ch01.indd 18
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-2: Risk Management Concepts
19
EXAM TIP The CompTIA Security+ 601 objectives use the term key
frameworks as an umbrella term for the various risk management
frameworks discussed in this module. That’s an objectives organizational
term rather than an industry term.
One popular RMF is the National Institute of Standards and Technology (NIST) Risk
Management Framework (RMF). See Figure 1-10. This RMF is described in NIST
Special Publication (SP) 800-37, Revision 2, Risk Management Framework for Information
Systems and Organizations: A System Life Cycle Approach for Security and Privacy. Originally
designed as an RMF expressly for US federal organizations, the NIST RMF has been
adopted as the de facto RMF by many in the IT security industry.
The NIST RMF isn’t the only well-known framework. NIST RMF was originally
designed only for government agencies (although the latest version of RMF changed its
name from “Federal Information Systems” to “Information Systems and Organizations”).
Not too many years after developing the NIST RMF, NIST introduced the NIST
Cybersecurity Framework (CSF), geared more towards private industry. The NIST CSF is
a similar, less comprehensive framework than the NIST RMF.
International Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) 27001 is the international standard for best-practice information security management systems (ISMS), roughly like the NIST RMF. ISO/IEC
27002 is the international standard to help organizations enumerate—list, define—their
security controls. ISO/IEC 27002 lists categories of security controls, not actual individual controls. ISO/IEC 27701 extends the ISO/IEC 27001 standard to address personal
information and privacy issues.
Figure 1-10
NIST RMF from
NIST.SP.800-37r2
.pdf
CATEGORIZE
MONITOR
SELECT
PREPARE
Process Initiation
AUTHORIZE
IMPLEMENT
ASSESS
01-ch01.indd 19
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
20
NOTE ISO 27001 and 27002 are certainly frameworks, but think of them
more as frameworks with teeth! The EU can selectively choose to require
organizations to use these frameworks as a compliance check, making
them more of a standard than a simple recommendation like the NIST’s
publications.
ISO 31000 provides a broad, higher-level, and less technical overview of risk
management concepts and tools to implement risk management frameworks from the
executive standpoint.
The Center for Internet Security (CIS) publishes CIS Benchmarks, an interesting and
respected framework. The fact that CIS is a nonprofit, nongovernmental organization
makes its framework attractive to many security professionals. Additionally, the CIS
Benchmarks framework explicitly works with small, medium, and large organizations—
the only framework that addresses the “little guy.”
ISACA—a professional association devoted to risk management, auditing, and security
controls management—produces the COBIT framework designed for enterprise-wide
management and governance of information processing and technology. Currently at
COBIT 2019, the framework has wide adoption in the industry.
Although it might at first seem odd to throw accounting frameworks into the
security mix, the auditing aspect of accounting certainly applies. The American Institute
of Certified Public Accountants (AICPA) publishes the Statement on Standards for
Attestation Engagements (SSAE) as a guide to financial reporting. In 2017, AICPA
updated the standard from SSAE 16 to SSAE 18 to include a cybersecurity risk
management reporting framework. It includes System and Organization Controls (SOC)
to guide organizations in their reporting. This framework has been updated since. SOC
2 reports come in two forms, called Type I and Type II. These refer to evaluations of
controls in place (Type I) and the efficiency of those controls over time (Type II).
EXAM TIP The CompTIA Security+ exam objectives use the term “SSAE SOC 2
Type I/II” for the SSAE 18 framework as it applies to cybersecurity.
The Cloud Security Alliance (CSA) created the Cloud Controls Matrix (CCM), a
framework for security controls designed exclusively for cloud computing. Additionally,
CSA produces reference architectures—templates, really—for both broad and veryspecific cloud security. Plus, the CSA CCM works well with—and was designed to
complement—other industry frameworks, such as the NIST and CIS frameworks.
The two biggest players in cloud computing today, Microsoft Azure and Amazon Web
Services (AWS), have frameworks for security in networks that use their services. Amazon
has extensive documentation for its AWS Well-Architected Framework, for example,
providing guidelines for every aspect of security. Curious? Check out AWS’s Five Pillars
of the Framework: https://wa.aws.amazon.com/wat.pillars.wa-pillars.en.html.
Organizations use one or more of the frameworks discussed above to apply various
security controls. That begs the question: Where do security controls originate? Let’s
01-ch01.indd 20
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-2: Risk Management Concepts
21
dive into the sources of some controls, such as legislation and regulations, standards, best
practices, and security policies.
Legislation/Regulations
Many laws affect how and what types of security controls your organization may use.
Governments from states/territories and nations affect those whose businesses work or
operate in the respective locations.
The United States has many laws that IT security professionals should know, such as
the Patriot Act (2001), the Electronic Communications Privacy Act of 1986 (ECPA), the
Computer Security Act of 1987, the Health Insurance Portability and Accountability Act of
1996 (HIPAA), and the Sarbanes-Oxley Act of 2002 (SOX). There are many more, but a
couple of descriptions should do for this introduction.
HIPAA provides data privacy and security provisions for safeguarding medical
information. These include provisions for who may have access to patient records and
how to properly store records. SOX has many provisions, but the one that is most
important to many companies is the requirement for private businesses to retain critical
records for specific time periods. Both HIPAA and SOX are discussed in more detail in
Module 1-6.
NOTE The CompTIA Security+ exam barely scratches the surface of what
security professionals need to know about laws that affect our field. You
cannot skip over legal guidelines, though, because they will bite you . . . and
make your security career short and unpleasant.
In response to demands by the public to protect the privacy of users visiting Web sites,
the European Union (EU) created the General Data Protection Regulation (GDPR).
Since GDPR became effective in 2018, odds are good you’ve seen a GDPR notification
on Web sites such as shown in Figure 1-11.
GDPR is an interesting law, as in theory it applies globally to any organization or
country that processes or stores personal information of any EU citizen. As of this
writing, the EU hasn’t attempted to sanction or fine any non-EU organization, but
it’s just a matter of time. GDPR is unique to the EU, but many national, state, and
territorial governments have adopted similar legislation. The state of California, for
example, adopted the California Consumer Privacy Act (CCPA).
Standards
A standard is a ruleset voluntarily adopted by an industry to provide more uniform products and services. It might be more accurate to replace the word voluntarily with the
word voluntold, because many standards are often required for participation in certain
industries. Easily the most far-reaching standard from the standpoint of IT security is the
Payment Card Industry Data Security Standard (PCI DSS). This industry-specific framework, adopted by everyone who processes credit card, debit card, prepaid card, or gift card
transactions, provides for several highly detailed security controls to mitigate credit
card fraud. Vendors who accept credit cards but fail to abide by PCI DSS rules quickly
find themselves cut off from their ability to accept cards.
01-ch01.indd 21
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
22
Figure 1-11
GDPR
notification
Benchmarks/Secure Configuration Guides
Benchmarks and secure configuration guides are knowledgeable recommendations that
lack the enforceability of legislation and standards, but are an important consideration
of any IT security framework. Benchmarks and guides come from governments (if you
want to be accurate, even the NIST RMF is just a guide), industry groups, and vendors.
In most cases benchmarks and guides tend to be very specific, directed toward a platform
such as Microsoft Windows, Apache Web servers, application servers, network infrastructure devices, and so on.
NOTE Add the term “best practices” to benchmarks and guides, as they are
basically the same thing.
01-ch01.indd 22
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-2: Risk Management Concepts
23
Figure 1-12 Excerpt from CIS Benchmark for Apache HTTP Server
One excellent example of benchmarks is the collection of CIS Controls from the
Center for Internet Security, the same folks who made the CIS Benchmarks mentioned
earlier. These platform-specific benchmarks are wonderfully detailed and are an excellent
tool for those of us who need a more step-by-step guide for securing a broad cross-section
of platforms. Figure 1-12 shows a few lines from CIS’s excellent guide to securing the
popular Apache Web server.
Sometimes it’s down to the users of equipment to tell others about their security
experiences. Any organization can create or use a Security Technical Implementation Guide
(STIG) to standardize security protocols throughout their networks. A typical STIG
provides details on how to optimize desktop computer security, for example, and best
practices for patching and security updates. STIGs also cover configuration and security
details for every common networking device, from routers to firewalls.
EXAM TIP The CompTIA Security+ exam will test your knowledge of the
European legislation GDPS, US laws (HIPAA and SOX), and standards
such as PCI DSS.
The entire IT industry is filled with vendor-specific guides, providing best practices that
vendors recommend you follow. From configuring access control lists for a Cisco router
to hardening Remote Desktop on Windows Server 2019, there’s a benchmark (or best
practice) for you. Microsoft provides incredibly detailed best practices for all its products
(Figure 1-13).
01-ch01.indd 23
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
24
Figure 1-13 Best practices for a Microsoft product
Security Policies
A security policy is a document that organizations generate to declare what actions and
attitudes they will take for certain critical aspects of their infrastructure. An organization
may have hundreds of policies, but, generally, policies most commonly define security
controls for the trickiest assets in every organization—the people. Later modules will
delve deeply into policies; for now, let’s look at one of the most common, an acceptable
use policy.
An acceptable use policy (AUP) defines exactly what users may or may not do on systems
in the organization. Here are a few lines from an example AUP pulled from one of many
free boilerplates available on the Web:
• Users must not attempt to access any data, documents, e-mail correspondence,
and programs contained on systems for which they do not have authorization.
• Users must not share their account(s), passwords, personal identification numbers
(PIN), security tokens (i.e., smart card), or similar information or devices used
for identification and authorization purposes.
• Users must not use non-standard shareware or freeware software without the
appropriate management approval.
• Users must not engage in activity that may degrade the performance of
Information Resources; deprive an authorized user access to resources; obtain extra
resources beyond those allocated; or circumvent computer security measures.
• Users must not download, install, or run security programs or utilities such
as password cracking programs, packet sniffers, or port scanners that reveal or
exploit weaknesses in the security of a computer resource unless approved by the
CISO (chief information security officer).
01-ch01.indd 24
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-3: Security Controls
25
Module 1-3: Security Controls
This module covers the following CompTIA Security+ objective:
• 5.1 Compare and contrast various types of controls
The previous module covered the concept of security controls and even showed you a
few examples. This module delves deeply into the organization of security controls. This
organization makes it easier to consider the types of controls available and to classify
them into specific groups based on what they do to mitigate threats. The CompTIA
Security+ objectives group controls into two broad areas: categories and types. Let’s look
at both to see how they work.
Control Categories
Control categories define who or what aspect of the enterprise deals with them or who or
what aspect of the infrastructure they affect. In this case, we break security controls into
managerial, operational, and technical.
Managerial Controls
You can categorize controls by defining the people responsible for those controls. A managerial control (or management control), for example, is a broad control that covers the
entire organization. All employees, no matter their location, must use a 12-character
password updated every 30 days—that’s a managerial control. These require some form
of management overview. Management controls are reviewed periodically, such as yearly
or monthly.
Operational Controls
Operational controls apply to a single unit in an organization and deal with how things
get done. An example of an operational control would be a requirement that a certain
PC controller must be reset daily. Operational controls rarely need management overview and are reviewed far more frequently than management controls.
Technical Controls
Technical controls are security controls applied to technology. If you specify a security
control that states, “All edge routers must be able to communicate on SNMPv3,” then
you’ve made a technical control.
Control Types
Thus far, the book has defined a security control as an action performed on a vulnerability to mitigate the impact of a risk. But what form of action can a control take? At
first glance you might be tempted to look at a security control as an action to block an
attack. It’s tempting, for example, to think of placing 20-character, complex WPA2 passwords on all the wireless access points (WAPs) in an organization as a security control
that will stop anyone from hacking the 802.11 network. This is a strong security control
01-ch01.indd 25
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
26
Figure 1-14
Mitigation isn’t
perfection.
My complex, 20-character
password makes this SSID
unhackable!
WPA2
Not unhackable, just a lot
harder to hack.
no doubt, but it can’t absolutely stop a determined attacker. Even long passwords can be
hacked, although the probability of a successful attack is greatly reduced (Figure 1-14).
Mitigation doesn’t mean stopping an attack. Attacks happen. Therefore, it’s helpful
to define security controls based on when they work relative to the phase of an attack.
A security control might work before, during, or after an attack. These are generally
known as control types. You need to know five control types for both essential skills and the
CompTIA Security+ exam: deterrent, preventive, detective, corrective, and compensating.
EXAM TIP The CompTIA Security+ objectives include physical as a control
type. The physical control category includes options for securing physical
areas from unauthorized access, such as fences, bollards, and so on. See
Chapter 10, Module 10-1 for physical controls in depth.
Deterrent Control
A deterrent control is designed to deter a potential attacker from even attempting an attack.
Good lighting or signage around your building might deter an intruder from entering.
Not building a server building near a fault line is another example. Figure 1-15
shows the welcome banner from a Secure Shell (SSH) server. Surely that will deter any
potential hacker!
Figure 1-15
Mike’s SSH
warning
01-ch01.indd 26
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
27
Preventive Control
A preventive control attempts to keep an active attack from succeeding. The earlier example of using a 20-character password on WPA2 is a great example of a preventive control.
Putting a lock on the server room door is another example of a preventive control. Doing
thorough background checks on potential new employees would be a third example.
NOTE
Most security controls are preventive controls.
Detective Control
A detective control works during an attack. As the name implies, these controls actively
look for an attack and alert security professionals to the presence of an active, ongoing
attack. An intrusion detection system, for example, watches a network for activity that
indicates an intrusion attack. A security camera detects someone trying to go into a place
he or she does not belong.
EXAM TIP Some security controls cross phases. A security guard can be
classified as a deterrent control, preventive control, or detective control,
for example, depending on the role that the security guard is playing at any
given moment.
Corrective
A corrective control applies after an attack has taken place and fixes/mitigates the result of
the incident. Restoring data from backups is probably the most common example of a
corrective control.
Compensating
Sometimes you need to provide a temporary solution to a vulnerability that’s less than
optimal. Perhaps someone tried to drive through a fence and you need to hire an extra
guard for a short time. Maybe all users have to log into a system as root until a completely
new system comes online, so you add extra logs to track usage more closely. These are
compensating controls. You use compensating controls to keep going until a better control
is available or possible.
Module 1-4: Risk Assessment
This module covers the following CompTIA Security+ objective:
• 5.4 Summarize risk management processes and concepts
Previous modules discussed risk and the security controls used to mitigate risk.
So, you might think that risk management is nothing more than an ongoing process
01-ch01.indd 27
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
28
Figure 1-16
Probably not
worth it
We can just
skip payroll!
No.
Ion Cannon
of identifying each vulnerability and then applying some form of security control to
mitigate the risks that vulnerability exposes. Applying security controls is important,
but the actual step of applying a security control is the end of a complex process. Risk
management is much more nuanced.
This nuance comes from the fact that every risk has a different vulnerability and
impact. A risk with very low impact might not be worth the cost of mitigation. Equally,
a risk with very low impact might motivate you to ignore the risk. Also, consider the fact
that IT security teams have a limited amount of money, time, and resources to apply to
addressing all the risks.
Consider the risk of a meteor hitting your facility (Figure 1-16). If you could get a Star
Wars ion cannon for the low, low price of $47 trillion, how would you feel about sending
that bill to your accounting department?
These variables require a good IT security professional to develop a risk assessment, which
is a carefully organized plan, more nuanced than simply trying to mitigate everything. A
good risk assessment uses several tools and methods to enable the IT security professional
to react to all threats in a realistic and practical way. This module starts by defining
some of the main concepts and tools of risk assessment. The module describes existing
frameworks you can use to help you perform a comprehensive risk assessment.
Risk Assessment Processes and Concepts
Risk assessment brings a lot of jargon into play to describe specific aspects or nuances in
security. This section explores risk assessment terms that define common processes and
concepts: risk awareness, risk and controls, risk assessment methods, threat sources and
events, vulnerabilities, likelihood and impact, and risk register.
Risk Awareness
Risk awareness is the process by which people recognize risk. It’s one of those terms that
sounds obvious but really isn’t. Sure, we want to be aware of risk, but how does that
awareness manifest? Knowing how we are aware of a risk often helps us mitigate that risk.
First of all, maybe it doesn’t manifest at all. Perhaps the awareness comes from careful
analysis, or perhaps the person identifying the risk has some form of bias about that risk.
01-ch01.indd 28
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
29
Risk and Controls
There’s more to risk than simply mitigating through controls. You can’t just recognize a
risk and slap on a control to mitigate that risk. You need to consider the ramifications
of the control before applying it to a risk. Does the control mitigate the risk? What happens without the control? How much mitigation does the control provide? Is it worth it?
Does the application of the control create other risks that also have to be mitigated? That
creates three states: the risk with no control applied; the risk after a control; new risks
developed because of the control.
Inherent risk represents the amount of risk that exists in the absence of controls.
Residual risk is the amount of risk that remains after accounting for controls. Control
risk is the probability of loss resulting from the malfunction of internal control measures
implemented to mitigate risks.
Once a control is applied, it’s important to make a control assessment. These
assessments manifest in many ways, but you should know the two ways to perform
that assessment: a risk control assessment is when you use an outside source to inspect
and judge the quality of your controls. This might be important especially to comply
with laws or regulations that affect control risk or risk posture—the overall scope of risk
for an organization. Otherwise, an organization can simply perform a risk control selfassessment—as in you use in-house resources to do the assessment.
Risk Assessment Methods
In addition to hiring knowledgeable and experienced risk management personnel, organizations can implement and follow a formalized process or methodology in assessing
risk. Developing this process can be quite an undertaking, but, fortunately, organizations
can use existing methods created by experts in the risk management profession. One
such common method of conducting risk assessments is NIST SP 800-30, Rev. 1, Guide
for Conducting Risk Assessments. Another assessment methodology comes from ISACA,
a professional association devoted to risk management, auditing, and security controls
management. This methodology is The Risk IT Framework. Both methodologies describe
detailed processes for conducting risk assessments, and both can be adapted for any organization to use.
NIST SP 800-30, Rev. 1, prescribes a four-step risk assessment process:
1. Prepare for assessment.
2. Conduct assessment:
A. Identify threat sources and events.
B. Identify vulnerabilities and predisposing conditions.
C. Determine likelihood of occurrence.
D. Determine magnitude of impact.
E. Determine risk.
3. Communicate results.
4. Maintain assessment.
01-ch01.indd 29
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
30
After initial preparation, the IT security professional begins the assessment. First,
identify threat actors (sources) and threat events, and then identify vulnerabilities
associated with assets and other risk factors. You then calculate likelihood and impact
values, which define the risk. Communicating the risk assessment results means reporting
the assessment to management, so that risk response options can be carefully considered.
Maintaining the assessment means implementing the response options and closely
monitoring the risk, periodically reassessing it to ensure the effectiveness of the response
options and to determine whether the risk has changed.
NOTE Although you likely will not be tested on either the NIST or ISACA
methodologies, they’re good to know for use on the job, especially if you are
assigned any type of risk assessment duties for your organization.
Identifying Threat Sources and Events
The first step in threat assessment is to identify the threat sources and to categorize
them into groups. The process of categorizing threats may seem daunting, but NIST
and ISACA provide some good basic categories to begin the process. Referencing NIST
SP 800-30, Rev. 1, Table D-2, one possible categorization might look something like
Figure 1-17.
You’re not required to use this categorization. Some organizations simply break all
threat sources into no more than the following four categories. Compare these to similar
categories listed in Figure 1-17 to get an idea as to how different organizations can use
totally different categories to cover the same types of threats.
• Environmental Natural disasters outside the control of humans
• Person-made Any threat that is not environmental; includes disasters caused
by people
• Internal Threat generated by internal sources, usually an insider to the organization
• External Threat generated from outside your infrastructure
Vulnerabilities
As a refresher from Module 1-1, a vulnerability is a weakness inherent in an asset that
leaves it open to a threat. Vulnerabilities in an organization vary according to the unique
components of that organization, so it’s hard to provide anything concrete here that applies universally. Broadly speaking, though, just as with threat sources, organizations can
have internal and external vulnerabilities.
Internal vulnerabilities include legacy systems and software compliance/licensing issues.
As a business grows over time, that “old Windows 7 computer in the corner that has
one job” might not have any security support anymore. Assessing all the systems in use
throughout an organization is essential to finding vulnerabilities. Likewise, software that
is out of compliance or license creates a financial vulnerability—get caught in an audit
and pay stiff penalties.
01-ch01.indd 30
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
31
Figure 1-17 Example taxonomy of threat sources (from NIST SP 800-30, Rev. 1)
Multiparty affiliations can expose external vulnerabilities, such as the communications among the entities, or a shared database in the cloud with users from each entity.
Having valuable intellectual property presents a prototypical vulnerability, IP theft by
external hackers.
01-ch01.indd 31
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
32
Combine these vulnerabilities with willing and able threat actors, then define the
likelihood of occurrence (described next). These are classic risks for which you need to
implement security measures to protect the organization.
NOTE CompTIA uses the term “risk types” to describe vulnerabilities like
those outlined in this section. The vulnerabilities become risks when you
add threats and likelihood.
Likelihood and Impact
Once you have collected all the different data on threats, vulnerabilities, and assets, you
can assess likelihood of occurrence and impact. Likelihood of occurrence is the probability
that a threat actor will initiate a threat or the probability that a threat could successfully
exploit a given vulnerability. Impact is the degree of harm or damage caused to an asset or
the organization. Both can be viewed in either objective or subjective terms.
Objectively, likelihood or impact could be expressed in terms of numerical values.
In a subjective expression, both elements may be termed qualitatively, or using a range
of descriptions on a scale. These two ways of expressing likelihood and impact are the
two risk assessment types discussed in the upcoming sections: quantitative (objective or
numerical) and qualitative (subjective) assessment types.
Risk Register
High
A risk register is a scatter-plot graph that compares probability to impact. Risk registers
are handy tools for detecting otherwise easily missed risks.
Meteor
Impact
Fire
Impact
Lose Critical
Programmer
Patching
Error
Low
Router
Failure
Malware
Low
Probability
High
Taxonomy of Threat Sources
01-ch01.indd 32
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
33
Quantitative Risk Assessment
An organization uses a quantitative risk assessment when it requires exact figures on
risk equated to likelihood and impact. Exact dollar values, for instance, can be used
to describe impact or loss of an asset. A quantitative risk assessment requires that the
organization measure and obtain certain pieces of data, because the assessment depends
upon the accuracy and completeness of the data fed into it.
A quantitative risk assessment is based on objective data—typically, numerical data.
A quantitative assessment is objective in that the data fed into it is measurable and
independently verifiable. For example, cost expressed as a dollar value is a measurable
and concrete piece of data often used to perform quantitative analysis. Other types
of numerical data may include statistical analysis of different aspects of likelihood,
for instance.
In the next few sections, we’ll look at five data elements required to perform a
quantitative assessment: asset value, exposure factor, single-loss expectancy, annualized
rate of occurrence, and annualized loss expectancy. Note that these are very simplistic data
elements; in more complex assessments, other data elements might be required as well.
Asset Value and Exposure Factor
A quantitative risk assessment starts with determining asset value, a monetary figure that
reflects various factors, such as replacement or repair cost, cost over time, and more.
First, determine an asset’s replacement cost. Some organizations may need to consider
depreciation values over time, however, which would reduce the amount of money they
may have available to replace an asset. Another consideration is repair cost versus replacement cost. If an asset simply needs repair to return to an operational condition, then the
organization should consider different costs for different components required to repair
the asset. (See Module 1-5 for more on component failure measurements.)
Beyond cost to replace or repair the asset, you must also look at the revenue the asset
generates. To replace a failed server, for example, costs $5000; the amount of revenue
that the server brings in every day, due to the data that’s processed on it, is $3000. So
even if you pay the $5000 to order a new server, if the vendor can’t get it to you and
installed within four days, you’ve lost $12,000 in revenue in addition to the cost of the
server. Those considerations may require you to reevaluate the value of the asset. It’s not
only about the cost of replacement for the asset, but also how much value it gives to the
organization.
NOTE When valuing an asset, consider not only the replacement cost but
also the revenue the asset generates, as this will be lost as well if the asset is
not available.
Along with asset valuation, organizations should consider the exposure factor, the
percentage of an asset’s value that could be lost during a negative event. Realistically, you
will not always lose 100 percent of the value; you may lose only 30 percent or 50 percent,
01-ch01.indd 33
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
34
for example. Exposure factor considers the percentage of the asset’s value (or the revenue
derived from the asset) lost in the event of an incident.
You can use exposure factors when performing risk assessments to determine
realistically how much of a loss your organization may suffer during an incident. This in
turn affects how much money or other resources you should devote to budgeting for risk
response. Exposure factors are normally expressed mathematically as a decimal number.
An exposure factor of 0.4, for example, is a 40 percent loss, and an exposure factor of
1 is a 100 percent loss.
Single-Loss Expectancy
The single-loss expectancy (SLE) is a value that’s computed simply by multiplying the asset’s value (in dollars) by the exposure factor (percentage of loss). Use this simple formula
as the initial step in describing risk from a quantitative point of view. The SLE indicates
what the loss would be in a single circumstance of a negative incident affecting the asset.
The formula can also be described as follows:
SLE (single-loss expectancy) = AV (asset value) × EF (exposure factor)
Given this formula, suppose you had an asset worth $5000, and during a single-loss
event such as a fire, you’d expect to lose 50 percent of that asset’s value. This would be
expressed as:
SLE = $5000 (AV) × 0.50 (EF) = $2500
Obviously, this is a very simple scenario. When calculating SLE, you must look at
other aspects of the loss, such as the event that might cause the loss, its likelihood, revenue
generated from the asset, and so on. Additionally, exposure factor can be a difficult value
to nail down. You might use statistical analysis, or even the “best guess” by a committee
of experts, to determine exposure factor for different assets.
EXAM TIP Know the formula for single-loss expectancy:
SLE = AV (asset value) × EF (exposure factor)
Annualized Rate of Occurrence
The annualized rate of occurrence (ARO) is how many times per year you would expect a
negative event to occur, resulting in a loss of the asset. This value relates more to likelihood than impact and serves to establish a baseline of how likely a specific threat is to
occur, affecting the asset.
This value can result from several different sources. First, you could look at historical
trends. For example, let’s say that your business is in an area prone to tornadoes. You can
gather information from the National Weather Service on how many tornadoes normally
occur in your region every year. This would be the ARO for that threat. Obviously,
other events would have other rates of occurrence. Some of these would be difficult
to quantify without more in-depth information. For instance, obtaining the ARO for
01-ch01.indd 34
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
35
attacks from hackers would be problematic, since that would not necessarily be limited
to a geographical area. You might have to gather data and perform statistical analysis to
determine how often serious attacks occur, given specific circumstances, attack methods,
level of attack, and so on, with regard to your type of industry or business. Some of this
data might come from published industry trends, and some information may come from
law enforcement or threat intelligence sources (introduced in Module 1-1) that provide
aggregate analysis of this particular type of data. In the end, this might simply be an
educated guess, based upon the best data you have available to you. In any case, what
you’re after is an end number that you can use as a factor in determining how often a
particular threat might occur on an annual basis. You’ll use this number during the next
calculation, the ALE.
Annualized Loss Expectancy
The annualized loss expectancy (ALE) essentially looks at the amount of loss from the SLE
and determines how much loss the organization could realistically expect in a one-year
period. Viewing potential loss on an annual basis makes it easier to craft budgets and
allocate resources toward risk management, since most organizations function on a fiscalyear basis. Additionally, this allows the organization to project how many times in a given
year a particular event may occur. The formula for ALE is also quite simple:
ALE (annualized loss expectancy) = SLE × ARO
Let’s use an example to make this formula clear.
The Bayland Widgets Corporation has a data center in Totoville, Kansas. Totoville
averages about seven major tornados a year. The ARO of a tornado is therefore 7. A serious
tornado hit to the $2,000,000 facility would likely cause about 20 percent damage. Put
those numbers together to create the SLE:
SLE = AV ($2,000,000) × EF (20% or 0.2)
SLE = $400,000
If all seven major tornadoes that occurred during the year actually hit and caused this
level of damage to the facility, then the ALE would be $400,000 (SLE) × 7 (ARO) = a
potential loss of $2,800,000 (ALE). This would be the worst-case scenario. Realistically,
since all seven are not likely to hit the facility, you can lower the ARO to a lesser number.
Obviously, this is a very simplistic (and most likely remote) scenario; the object here is
to show you the different data elements and demonstrate how the formulas work. These
simple formulas don’t take into account realistic values or other risk factors that may
affect likelihood and impact. However, they do demonstrate the basics of how you might
calculate these two risk elements. You’ll find that these particular formulas are prevalent
throughout the Security+ exam as well as other higher-level information security exams,
such as the CISSP.
EXAM TIP Understand the formula for computing the
annualized loss expectancy:
ALE = SLE (single-loss expectancy) × ARO (annualized rate of occurrence)
01-ch01.indd 35
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
36
Qualitative Risk Assessment
Quantitative risk assessments seem to be, on the surface, the way to go if an organization wants a very accurate, data-driven view of risk. Quantitative analysis, however, has
a couple of weak points. First, a lack of data can force organizations to use incomplete
or subjective numerical values. Second, even exact numbers can be misleading, simply
because of the different methods people and organizations use to arrive at numerical
values. Yet another issue is the fact that even when you’re talking about exact numbers,
they can still be subjective. People, because of their own opinions or limitations of their
data collection and analysis processes, sometimes have to make educated guesses about
numerical values. These issues can cause data to be incomplete, inexact, or simply incorrect. Another big shortfall with quantitative analysis is that many other types of data
cannot be easily quantified or measured. Some of these pieces of data are also subjective.
In other words, they are dependent upon the point of view of the person collecting and
analyzing the data. This is why a qualitative analysis is often preferred.
A qualitative risk assessment doesn’t necessarily use numerical values; it relies on a risk
appetite. Risk appetite is a relative term of how much risk is perceived by the organization.
Organizations usually assign a descriptive value, such as low, medium, or high when
defining a risk appetite for a particular risk. They take into consideration less tangible ideas
such as experience, opinion, trend analysis, or best estimates. For example, what would the
impact be to an organization if it suffered a loss of reputation in the marketplace?
Reputation cannot be easily quantified numerically. Those are typically the values (or
some similar range of descriptive values) that qualitative analysis uses. In the case of loss
of reputation, the impact might be designated as high, for instance.
Even risk elements that could normally be assigned a numerical value can be expressed
qualitatively. The likelihood of a threat exploiting a vulnerability could be expressed in a
range of descriptive values, such as very low, low, moderate, high, and extreme. The same
could be said for impact. Of course, these values are subjective; what one person believes
to be a high likelihood, another may believe to be an extreme likelihood. In qualitative
analysis, the organization must come to a consensus over what qualitative values mean
and the relationships among values.
We can use tools such as a risk matrix to help organize risk assessment. A risk matrix is
a table that plots the likelihood of occurrence of a risk against the severity of the impact.
Imagine a scenario where a server room becomes inoperable. Plotting severity of impact
against likelihood, we could see something like the risk matrix shown in Table 1-1.
Impact
Marginal
Likelihood
Minor
Important
Critical
Certain
Moderate
High
Extreme
Extreme
Likely
Moderate
High
High
Extreme
Possible
Low
Moderate
High
High
Unlikely
Low
Low
Moderate
Moderate
Rare
Very Low
Very Low
Low
Moderate
Table 1-1 Risk Matrix
01-ch01.indd 36
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
37
Figure 1-18 Qualitative and semi-qualitative values (from NIST SP 800-30, Rev. 1)
This sample risk matrix is fairly easy to read, but as a matrix gets larger it’s often handy
to add color to the matrix to represent the risk by color: red the highest and green the
lowest. This is called a heat map.
Despite the subjective nature of qualitative analysis, this type of assessment can be
very meaningful and accurate. The organization can develop a method of calculating risk
based upon the relative values of impact and likelihood, even given descriptive values.
In Figure 1-18, taken from NIST SP 800-30, Rev. 1, risk can be calculated from a
qualitative perspective using descriptive likelihood and impact values.
It’s also worth mentioning here that another type of scale could be used, one that does
use numeric values. You could have a scale that uses values from 1 to 10, for example. In
this case, the scale will be referred to as semi-quantitative, because these numbers could
be averaged together to get aggregate values. Since it is still a subjective measurement,
however, it is really a qualitative type of analysis.
Putting It All Together: Risk Analysis
Although qualitative risk analysis is probably most often used because it can accept a
wide variety of data, including elements that are not easily quantifiable, most organizations use a combination of qualitative and quantitative analyses. To calculate the impact,
for example, the organization might use quantitative assessments. To calculate likelihood,
the organization may go with a qualitative approach. For some risk scenarios, either one
or both may be more appropriate. Which method an organization uses depends upon
what type of data it has and what type of data it wants to obtain from the analysis.
Also, although risk scenarios typically revolve around a single threat, vulnerability,
and asset at a time taken together in context, these risks are usually calculated and then
rolled up into a larger level of risk that applies to the entire organization. Figure 1-19,
also taken from NIST SP 800-30, Rev. 1, illustrates how the use of qualitative values
can be used to describe overall risk. At first glance, Figure 1-19 seems almost identical
to Figure 1-18, but read the descriptions. Figure 1-18’s description is concerned with
01-ch01.indd 37
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
38
Figure 1-19 Qualitative assessment of risk (from NIST SP 800-30, Rev. 1)
the attacker, whereas the description in Figure 1-19 describes the risk in terms of how it
might affect infrastructure.
NOTE Remember the difference between qualitative and quantitative
assessment methods. Qualitative methods use descriptive terms, while
quantitative methods primarily use numerical values.
Risk Response
After you’ve identified and analyzed risk for assets and the organization, you must then
decide how to respond to the risks produced as a result of the analysis. Responding to risk
means to attempt to minimize its effects on the organization. Risk management strategies
fall into four categories:
•
•
•
•
Mitigation
Transference
Acceptance
Avoidance
An organization chooses risk mitigation, risk transference, risk acceptance, or risk
avoidance depending on several factors, including cost, effectiveness, and what value
it places on the asset in question. Often, risk responses could include implementing
01-ch01.indd 38
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-4: Risk Assessment
39
technologies or controls that cost more than the asset is worth, and the organization has
to decide whether it is worth it to deal with the risk.
Risk mitigation is an attempt to reduce risk, or at least minimize its effects on an
asset. This may mean reducing the likelihood of occurrence, reducing or eliminating
the exposure of the vulnerability, or reducing the impact if a negative event does occur.
Mitigation usually involves adding security controls to protect an asset against a threat,
reducing likelihood, exposure, or impact in some way.
Be aware that most risk management theory states that risk can never be completely
eliminated; it can only be reduced or mitigated to an acceptable level. The acceptable
level may be an extremely low likelihood of occurrence or an extremely low impact if the
risk were to be realized.
Risk transference (also sometimes called risk sharing) deals with risk by sharing the
burden of the risk, especially the impact element. In risk transference, an organization
contracts with another party to share some of the risk, such as the cost to the organization
if the threat were realized.
The standard example of risk transference you will often hear about in the security
community is the use of cybersecurity insurance. Buying insurance to protect a business
in the event of a natural disaster, for example, alleviates the burden to the business by
reducing the impact of cost if a natural disaster occurs. The insurance pays the business
if equipment or facilities are damaged, reducing the impact. Note that this doesn’t lessen
the likelihood of the threat occurring; it only lessens the financial impact to the business.
Another example of risk sharing is through the use of third-party service providers,
such as those that provide infrastructure or data storage services. In this example,
the business contracts with a third party to store and protect the business’s data in a
different location. Such an arrangement could be beneficial to the business because it
might reduce the likelihood of a threat occurring that would destroy data (by providing
additional security controls and data redundancy, for example) as well as the impact.
NOTE Transferring risk does not also mean transferring legal responsibility
or liability from the organization. Ultimately, the responsibility for protecting
data and following legal governance still belongs to the organization.
Risk acceptance means the organization has implemented controls and some risk
remains. It does not mean simply accepting an identified risk without taking any action
to reduce its effects on the organization. Risk acceptance isn’t the act of ignoring risk.
Risk acceptance occurs when an organization has done everything it can do to mitigate
or reduce risk inherent to an asset, yet finds that some small level of risk remains even after
these efforts (called residual risk). Remember that risk can never be completely eliminated;
it may simply be reduced to a very unlikely level or to a very insignificant impact.
As an example, suppose that an organization believes there is significant risk to one
of its most valuable information technology assets, a critical server that processes realtime financial transactions. If this server costs $20,000 to replace, the organization may
spend $3000 in security controls to protect the server. After it has spent this money,
01-ch01.indd 39
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
40
the organization may find that the risk is reduced to a very small level. The residual risk
is very unlikely, and even if it were to occur, it would have only a very slight impact. The
organization could reduce the risk even more by spending an additional $2000 on more
controls, but if the risk is very small, would spending the additional money be worth it?
At this point, the organization has to decide whether to spend the additional money or
simply accept the residual risk.
Risk avoidance means that the organization could choose not to participate in
activities that cause unnecessary or excessive risk. Note that this doesn’t mean that the
risk is ignored and that the organization does not take steps to reduce it. In some cases, a
business pursuit or activity may be too risky to undertake, for example. The organization
may perform a risk analysis on a proposed activity and simply decide that the risk is not
worth the potential negative effects to the asset or organization.
Often, an organization will use a combination of these responses to address the
many and varied risks it encounters; there is no one perfect response solution that fits
all organizations, assets, and activities. The decision of how to respond to a particular
risk scenario involves many complex factors, which include cost, effectiveness of the
response, value of the asset, and the ability of the organization to implement a particular
response successfully. Additionally, as risk factors and conditions change over time, the
organization must continually monitor and revisit risk responses from time to time to
ensure that they are still effective.
EXAM TIP Remember the four possible risk responses: risk mitigation, risk
transference, risk acceptance, and risk avoidance, as well as their definitions.
Module 1-5: Business Impact Analysis
This module covers the following CompTIA Security+ objectives:
• 1.6 Explain the security concerns associated with various types of
vulnerabilities
• 5.4 Summarize risk management processes and concepts
• 5.5 Explain privacy and sensitive data concepts in relation to security
A good risk assessment requires analysis of the impact of incidents against the
IT infrastructure. You should consider the impact of an incident in terms of how it
affects the work of an organization. To do this, security professionals perform a business
impact analysis (BIA) that predicts both the consequences of incidents and the time and
resources needed to recover from incidents.
This module starts with an overview of the steps involved with performing a BIA,
using my company, Total Seminars, as an example. The rest of the module focuses
on three important BIA functions: types of impact, location of critical resources, and
calculating impact.
01-ch01.indd 40
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-5: Business Impact Analysis
41
NOTE A business impact analysis is designed to mitigate the effects of an
incident, not to prevent an incident.
BIA Basics
NIST SP 800-34, Rev. 1, Contingency Planning Guide for Federal Information Systems,
offers a detailed, three-stage BIA (Figure 1-20):
1. Determine mission/business processes and recovery criticality. Mission/Business
processes supported by the system are identified and the impact of a system disruption
to those processes is determined along with outage impacts and estimated downtime.
My interpretation: Make sure you know which workflows and processes your
organization depends on to operate, in other words, the mission-essential
functions. Determine the types of impact and consider the impact of the failure of
each of these workflows and processes. Estimate how long it takes to bring those
workflows and processes up to speed.
2. Identify resource requirements. Realistic recovery efforts require a thorough
evaluation of the resources required to resume mission/business processes and related
interdependencies as quickly as possible.
My interpretation: What are the critical tools your organization uses to do these
workflows and processes? Where are they? How do they work? In other words,
a BIA provides identification of critical systems.
Figure 1-20
NIST SP 800-34,
Rev. 1
01-ch01.indd 41
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
42
3. Identify recovery priorities for system resources. Based upon the results from
the previous activities, system resources can be linked more clearly to critical mission/
business processes and functions. Priority levels can be established for sequencing
recovery activities and resources.
My interpretation: Once you understand all the resources that make a workflow/
process work, determine the priority of bringing them back up to speed if they
fail. Make sure you know the mission-essential functions of the organization; this
helps you prioritize recovery.
NOTE A BIA is part of a broader field of study in IT security called
contingency planning (CP). CP covers almost everything an IT security person
needs to consider to keep an infrastructure humming in the face of an
incident. CP goes way beyond the scope of the CompTIA Security+ exam,
but note for future studies that the two go together.
A typical small business provides an excellent example for a BIA in action. Total
Seminars (or TotalSem, for short) writes books, generates online content, builds test
banks, and makes lots of videos (shameless plug: check out hub.totalsem.com).
Determine Mission/Business Processes and Recovery Criticality
TotalSem has three critical workflows:
• The online store (www.totalsem.com) for selling products
• Internet access for R&D and customer communication
• Video production facility consisting of workstations and a few critical local servers
The three workflows differ in what the company can do to protect them. Amazon
Web Services hosts the Web site and store, so there is little to do to mitigate the impact
of AWS going down, other than wait. Internet access has two components. The cable
company provides the pipe—not much to do there, just like with AWS—and TotalSem
techs control access to the Internet for each workstation. Video production, while
important, can go down for a day or two without too much impact (unless you’re waiting
for my next video!).
Now, let’s sort these workflows by priority.
1. Internet access
2. Video production
3. Web store
The Web store generates company profits and, from a business sense, should have top
priority. Because TotalSem has no direct control over the store, however, it drops to the
bottom of this list.
Once you’ve determined priorities, move to the next BIA stage.
01-ch01.indd 42
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-5: Business Impact Analysis
43
Identify Resource Requirements
At the second stage, you should analyze all the resources required for each mission/process
outlined in the first stage. Total Seminars’ Internet access provides a good example.
Total Seminars’ Internet access isn’t very complex. A single Internet service provider
(ISP) provides a cable modem that’s owned by the ISP. Locally, TotalSem has a midrange
edge router (Cisco ASA) that supports a public-facing DNS server. The TotalSem internal
network moves through a second NAT router (with a built-in switch) to individual systems.
The resources for Internet access therefore consist of a cable modem, a server, and a
couple of routers/switches.
After outlining all resource needs for each mission/process, move to the next stage.
Identify Recovery Priorities for System Resources
At the final stage, prioritize recovery steps. If TotalSem completely lost Internet access, for
example, the priority would be (other people may have a different opinion as to this order):
1. Repair/restore/replace cable modem (must have for Internet).
2. Repair/restore/replace edge router (need the protection for DNS server).
3. Repair/restore/replace DNS server (critical to access certain systems).
4. Repair/restore/replace NAT router (for workstations).
At this stage, you should identify recovery priorities for system resources that support
every mission/process outlined in stage one.
Types of Impact
To analyze the impact of an incident, focus first on the consequences in terms of business
processes supported by the affected resources. A typical BIA looks at (at least) five types
of impact:
•
•
•
•
•
Financial
Reputation
Availability loss
Privacy
Data
Financial
Financial impact manifests in several ways. It might mean lost or delayed sales. It might
also lead to increased expenses, such as overtime, outsourcing, and fines. The one good
aspect of financial impact is that it has a quantitative dollar value.
Reputation
How does a potential customer feel if he or she heads to www.totalsem.com only to find
the Web site down (Figure 1-21)? Reputation is an important impact to consider, but it’s
01-ch01.indd 43
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
44
Figure 1-21
Reputation is
critical.
Noooooo!
Site
Down
also difficult to quantify. There are studies that can give a financial estimate of loss of
reputation, but even these are very specific (such as sales loss due to lost customers due
to a data breach).
Availability Loss
Every organization relies on critical data. If that data becomes unavailable, it can have
a massive negative impact on the organization. Here are some examples: customer lists
deleted; file storage disconnected and unavailable; an expired certificate that makes access
to a company Web site fail; all these describe availability loss.
Privacy
Any organization that keeps individuals’ personal information takes on several risks with
serious legal and financial impacts, both to itself and to the individuals whose data is
being stored. The next module, Module 1-6, goes into great detail on the concept of
privacy. I’ll save the details until then but address the concept of privacy impact here.
An organization performs a privacy impact assessment (PIA) to determine the impact
on the privacy of the individuals whose data is being stored and to ensure that the
organization has sufficient security controls applied to be within compliance with
applicable laws or standards.
To create a PIA, an organization performs a privacy threshold assessment (PTA) on its
infrastructure to locate personal information, determine what personal information is
stored, and from whom the personal information is collected. Once the PTA is complete,
the PIA can then be applied.
Data
Bad things can happen to good data, from outright loss to unauthorized access by
untrusted sources. Problems with data can have impacts in many categories. Data loss
reduces productivity, because the data needs to be re-created. Worse, it has a financial
impact—the time to re-create the data costs money. Finally, data loss can hurt reputationally; for example, a deliverable not getting to a client on time because of data loss
besmirches the organization.
Data breaches occur when confidential information has been exposed, whether by
accident or by malicious intent. Data exfiltration is a type of data breach, specifically
01-ch01.indd 44
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-5: Business Impact Analysis
45
involving bad actors/malware performing an unauthorized transfer of data. The impact
of such data breaches and exfiltration will undermine customer confidence, impacting
the organization’s reputation. The financial impact can come from getting sued over the
breach and paying legal fees as well.
Locating Critical Resources
Analyzing critical resources as part of a BIA can reveal unexpected vulnerabilities.
Resources needed for TotalSem’s Internet access provides a good example.
Total Seminars’ Internet access relies on four basic resources:
•
•
•
•
Cable modem
Edge router
DNS server
NAT router
The BIA clearly shows several single points of failure: if any one of these resources
fails, TotalSem loses its business process of Internet access. The impact of losing this
process could cause negative financial consequences for the company: pretty much every
employee stops working.
You should mitigate single points of failure if possible. In the case of resources needed
for Internet access, for example, several actions could mitigate the problems:
• Cable modem Add a second ISP into the mix. This could act as a failover if the
primary ISP fails.
• Edge router Cisco produces very reliable routers, but a quick check of the
Cisco Web site shows the router model used by TotalSem accepts dual power
supplies. This will help increase the MTBF (see the next section) significantly.
• DNS server A single DNS server is never a good idea. TotalSem could add a
second DNS server or create a secondary lookup zone on a cloud server.
• NAT router TotalSem uses a low-quality router, but has spares ready to go.
There will be a time impact to install the replacement, but having the spare
onsite is far better than running to the store.
Calculating Impact
The process of calculating impact has the same problem that calculating risk in earlier
modules had: is it qualitative or quantitative? The CompTIA Security+ exam touches only on qualitative business impact analysis, and only on a few well-known factors:
MTBF, MTTF, and MTTR.
The mean time between failures (MTBF) factor, which typically applies to hardware
components, represents the manufacturer’s best guess (based on historical data) regarding
01-ch01.indd 45
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
46
Figure 1-22 Router datasheet showing MTBF
how much time will pass between major failures of that component (Figure 1-22). This
is, of course, assuming that more than one failure will occur, which means that the
component will be repaired rather than replaced. Organizations should take this risk
factor into account because it may affect likelihood and impact of the risks associated
with critical systems.
The mean time to failure (MTTF) factor indicates the length of time a device is
expected to last in operation. In MTTF, only a single, definitive failure will occur and
will require that the device be replaced rather than repaired.
Lastly, the mean time to repair (MTTR) is the average time it takes to repair (or replace)
a hardware component. Mean time to recovery (MTTR) is the time it takes for a hardware
component to recover from failure. (The two MTTR definitions are frequently used
interchangeably.)
EXAM TIP You should understand the difference between mean time
between failures (MTBF), mean time to failure (MTTF), and mean time to
repair (MTTR) measurements for hardware failure.
Calculating Downtime
When systems go down, they affect other systems as well. The recovery time objective
(RTO) is the maximum amount of time that a resource should remain unavailable before
an unacceptable impact on other system resources occurs. The recovery point objective
(RPO) defines the amount of time that will pass between an incident and recovery from
backup. If a company backed up yesterday, for example, the RPO is 24 hours. If data
changes so rapidly (an accounts receivable database, for example) that any backup more
than an hour old requires calling customers or other extraordinary actions, then the RPO
is one hour. The RTO and RPO help IT professionals calculate how much an organization can or will lose if a system goes down before backup systems can be brought online.
01-ch01.indd 46
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
47
Module 1-6: Data Security and Data Protection
This module covers the following CompTIA Security+ objectives:
• 1.6 Explain the security concerns associated with various types of
vulnerabilities
• 2.1 Explain the importance of security concepts in an enterprise environment
• 2.7 Explain the importance of physical security controls
• 5.3 Explain the importance of policies to organizational security
• 5.5 Explain privacy and sensitive data concepts in relation to security
IT security professionals protect data. Proprietary data is the lifeblood of many
companies. Those companies put a premium on securing that data (Figure 1-23).
The complexity of data security presents a challenge to IT security professionals.
Data manifests throughout an infrastructure in many ways: from a single user’s personal
folders containing a few Word documents to massive multiterabyte databases, accessed
by hundreds or even thousands of users.
The complexity of access and control of data adds another challenge to IT security
professionals. Every database program, every operating system, and many Internet
services offer settings that give administrators impressively fine control when configuring
which users and groups may access specific classes of data and what they are permitted to
do with that data. But how do we control that access? How do we look at the data and
determine the amount of access any given entity receives? We’ll answer these questions
in Chapter 3.
Handling certain types of data involves serious legal and privacy issues. Organizations
need to protect data aggressively. If your databases contain individuals’ private medical
information, customers’ personal credit card numbers, or even a young offender’s rap
sheet, you are under tremendous pressure to maintain that privacy (Figure 1-24).
This module covers the basics of data security and privacy. The module starts by
covering common methods of data organization, then delves into legal compliance and
privacy. We’ll look at tried and true methods for data destruction. The module closes by
covering privacy breaches.
Figure 1-23
Data is precious.
I’ll keep you safe!
Our
Data
01-ch01.indd 47
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
48
Figure 1-24
Storing
personal data
brings heavy
responsibilities.
Dating
Habits
Personal data MUST stay
private!
Arrest
Records
Lab
Results
Organizing Data
Attaining data security starts with organization. Analyze individual chunks of data,
such as databases, spreadsheets, access control lists, and so on. Then determine the
importance—the sensitivity—of that data. After accomplishing both tasks, sort the
data into different classifications based on sensitivity. These classifications help security
professionals to determine the amount of security control to apply to each data set.
The dynamic nature of data requires more than just classification of the data. Every
data set needs to be administered by one or more people. The roles of the people who
manage the data and the users who access that data need classification as well.
NOTE The NIST Federal Information Processing Standards (FIPS)
Publication 199, Standards for Security Categorization of Federal
Information and Information Systems, is considered by many sources
as the de facto framework for IT data classification.
Data Sensitivity
IT security professionals need to apply appropriate security controls to data, making
decisions based on the sensitivity of that data. Organizations can apply a dizzyingly large
number of security controls to data. Some data sets need stringent security controls.
Other data sets need less complex security controls. Not all data in an organization has
the same sensitivity. The more sensitive the data, the more controls we apply to ensure
its security.
Organizations spend a lot of time thinking about their data and coming up with
classifications to enable them to identify the sensitivity to in turn address their handling.
One way to consider sensitivity is by the impact of an incident that exposes the data.
NIST FIPS 199 provides one way to consider the impact by looking at the confidentiality,
integrity, and availability (CIA) of the data and breaking the impact into three levels:
low, moderate, and high (Figure 1-25). It’s also very common to differentiate between
commercial and government/military to classify data.
01-ch01.indd 48
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
49
Figure 1-25 Impact table for data (FIPS 199)
Commercial Classifications Classifying data using commercial labels works well for
most private-sector organizations. Most security pros in the nongovernmental sector start
with some variation of the following list:
• Public Information that is not sensitive. The prices of all the products on eBay
is one example.
Private Information that specifically applies to an individual, such as a Social
Security number.
• Sensitive A generic label that is often tied to both commercial and government/
military label types.
• Confidential Information that one party offers to a second party. Usually
secured via a non-disclosure agreement (NDA). A common example is internal
company information used by its employees.
01-ch01.indd 49
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
50
• Critical Data without which an organization could not function or fulfil its
essential mission.
• Proprietary Information owned by a company that gives the company certain
competitive advantages. The secret formula to Coca-Cola is an example.
• Customer data Information about the customer, such as personally identifiable
information and personal health information (covered later in this module).
NOTE Public information may not have confidentiality, but it still needs
integrity and availability.
Government/Military Labels If you enjoy spy novels, most government/military
labels should sound familiar. In fact, these types of labels predate computers to a time
when paper documents literally had physical labels (or stamps) signifying their sensitivity.
Experts disagree on exactly what these labels mean, although not as much as with
commercial labels. Here in the United States, security professionals refer to Executive
Order 13526 of December 29, 2009, “Classified National Security Information,” which
defines the labels for government data—property of the government—as follows:
• “Top Secret” shall be applied to information, the unauthorized disclosure of which
reasonably could be expected to cause exceptionally grave damage to the national
security that the original classification authority is able to identify or describe.
• “Secret” shall be applied to information, the unauthorized disclosure of which
reasonably could be expected to cause serious damage to national security that
the original classification authority is able to identify or describe.
• “Confidential” shall be applied to information, the unauthorized disclosure of
which reasonably could be expected to cause damage to the national security that
the original classification authority is able to identify or describe.
Data Roles
Every data set needs some number of people with clearly defined roles who manage that
data at various levels. Data roles help define both the various responsibilities and the
responsible parties for the different jobs. Let’s go through the data roles listed by the
CompTIA Security+ exam objectives.
Data Owner The data owner is the entity who holds the legal ownership of a data set.
This includes any copyrights, trademarks, or other legal possession items that tie the data
set to the entity. The data owner can rent, sell, or give away the data set as the owner
sees fit. Data owners are almost always the organization itself and not an actual person.
This entity has complete control over the data and will delegate responsibility for the
management of that data set to persons or groups to handle the real work on that data.
01-ch01.indd 50
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
51
Data Controller The General Data Protection Regulation (GDPR) in the European
Union outlines in great detail how organizations should deal with private information.
GDPR went into force in 2018 and includes a few roles added to the traditional ones,
notably the data controller and data processor. Many countries have subsequently
adopted similar regulations, so, naturally, many multinational corporations comply with
those regulations throughout their organizations.
A data controller controls the data, which sounds silly, but means the person must
ensure that data complies with the protections of personally identifiable information
(PII) thoroughly, according to the regulations in the GDPR. The data controller must
create systems about data processing and report on them as well.
Data Processor A data processor in GDPR parlance doesn’t have as much control over
the data as a data controller. The data processor essentially works under the guidance of
the data controller, handling data according to the controller’s guidelines.
Data Custodian A data custodian ensures that the technical aspects of the data set are
in good order. Data custodians are the folks who make sure the data is secure, available,
and accurate. They audit the data and ensure they have both the appropriate storage
capacity and proper backups.
Data Steward A data steward makes sure that the data set does what the data is supposed
to do for the organization. Data stewards interface with the users of the organization to
ensure data governance: to cover data requirements, to ensure legal compliance, and to
make sure the data ties to company or industry standards. Data stewards update the data
as needed to conform to needs. Data stewards also define how users access the data.
NOTE
Data stewards and data custodians always closely interact.
Data Protection Officer The GDPR requires organizations to staff the role of data
protection officer (DPO), a leadership role responsible for making sure the enterprise
complies with GDPR rules. Specifically, the DPO oversees an organization’s policies and
procedures for protection of data.
Legal and Compliance
Most countries have laws, regulations, and standards designed to protect different forms
of data. As introduced in Module 1-2, in the United States, the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes-Oxley Act (SOX) provide strict
federal guidelines for the handling, storage, and transmission of data. In addition, the
Payment Card Industry Data Security Standard (PCI DSS), while not a law, has equally
stringent guidelines for the handling, storage, and transmission of credit card data. In all
these cases, the job of IT security changes from securing the IT infrastructure to making
sure the organization doesn’t get fined (and no one gets arrested!) for lack of compliance.
01-ch01.indd 51
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
52
Many companies use digital rights management (DRM) technologies to protect their
intellectual property, methods to stop easy copying (and redistributing) of music, movies,
and so on. Many governments, in turn, supplement these efforts with laws criminalizing
tampering with or circumventing the DRM technologies, such as the Digital Millennium
Copyright Act (DMCA) in the United States.
NOTE The US government has levied millions in fines and has imprisoned
individuals for violations of both HIPAA and SOX. Credit card companies
have revoked credit card processing from a huge number of businesses for
failure to comply with PCI DSS standards.
Rather than break down these individual laws/standards, it’s often better to concentrate
on some of the more important aspects. Focus on personally identifiable information,
protected health information, data retention, and data sovereignty.
Personally Identifiable Information
Personally identifiable information (PII) is any information referencing an individual that
either by itself or with other information could identify that individual, allowing persons
to contact or locate that individual without their permission. The idea of PII has been
around since the early 1970s, but came into stronger prominence with HIPAA in the
mid-1990s. PII is also very important for PCI DSS.
While there is no single definition of PII, NIST SP 800-122, Guide to Protecting
the Confidentiality of Personally Identifiable Information (PII), (Figure 1-26) provides
many examples:
• Name, such as full name, maiden name, mother’s maiden name, or alias
• Personal identification numbers, such as Social Security number (SSN), passport
number, driver’s license number, taxpayer identification number, or financial
account or credit card number
• Address information, such as street address or e-mail address
• Personal characteristics, including photographic image (especially of face or other
identifying characteristic), fingerprints, handwriting, or other biometric data
(e.g., retina scan, voice signature, facial geometry)
• Information about an individual that is linked or linkable to one of the above
(e.g., date of birth, place of birth, race, religion, weight, activities, geographical
indicators, employment information, medical information, education information,
financial information)
Different laws and standards vary the definition of what entails PII. For example, here
are a few examples of PII by PCI DSS standards:
• Account number
• Cardholder name
01-ch01.indd 52
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
53
Figure 1-26 NIST SP 800-122
•
•
•
•
Expiration date
Magnetic strip or chip data
PIN
CVC2/CVV2/CID
Protected Health Information
Protected health information (PHI) is any form of personal health information (treatment,
diagnosis, prescriptions, etc.) electronically stored or transmitted by any health provider,
insurer, or employer. This health information must be tied to the individual’s PII to be
considered PHI. In other words, a blood pressure reading combined with age and race is
alone not PHI. A blood pressure reading combined with a name, address, or SSN is PHI.
Financial Information
Personal financial information is any information that provides insight into an individual’s finances. This includes bank account numbers, credit scores, or user name and
login information for electronic payment applications.
Privacy Enhancing Technologies
Consider the types of PII and PHI just described and ask yourself, “What types of
organization might store this type of data?” The answer is that PII/PHI exists everywhere!
01-ch01.indd 53
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
54
Hospitals, doctors’ offices, and governments all store health information. Banks and
financial institutions store financial information. Every store and e-commerce site stores
customer data, and only the government knows how much PII it keeps on you.
There are plenty of privacy enhancing tools out there to help organizations protect
PII/PHI. Let’s look at some of the more common ways used to secure this type of data
from potential exposure.
Terms of Agreement/Privacy Notice
If you’re going to use someone’s PII/PHI, you should tell them what you’re doing with
it and how you’re going to keep their data private. Terms of agreement inform parties that
your organization will be asking for and storing personal information. A privacy notice
informs the person about how you will (or in some cases will not) keep their data private.
Anyone who’s ever clicked through one of those screens on a Web page that has “I agree”
on the bottom has dealt with a privacy notice (Figure 1-27).
Data Minimization Why keep something you don’t need? Data minimization is just
like it sounds—only keeping the minimum PII/PHI for you to get the job done. This
reduces both the data contents and the amount of time the data is kept.
Data Masking Data masking is the process of hiding original data with modified
content, such as using asterisks to hide all but the last four digits of a credit card number.
Tokenization Why send around sensitive data like a credit card number when you
can replace it with a random value, or token, that’s only known by a single source to tie
Figure 1-27 Terms of Agreement
01-ch01.indd 54
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
55
back to the actual number? Data tokenization is extremely common. For example, once
a patient’s record is stored in a database, just assign a patient number to that record so
things like name and address don’t have to be associated with that patient number.
Anonymization There’s a lot of useful information that comes from PII/PHI that
doesn’t require actually identifying the people whose information is part of the data set.
How many people in Houston, Texas, are morbidly obese? What’s the average age for
women in the United States to have their first child? How many complaints came in last
month about our new smartphone app? These types of statistics are very helpful, but
it’s up to the data set provider to ensure that no PII/PHI is retrieved by implementing
anonymization of the data.
TIP Anonymization removes all PII/PHI. Pseudoanonymization tokenizes
the PII/PHI.
Sometimes the process of extracting anonymous data from a PII data set creates
problems—or worse yet might accidently allow exposure of PII. One way to avoid this
issue is to create a second data set and replace all PII with token data that looks random.
This is called pseudoanonymization.
Data Retention
A number of laws and regulations have strict requirements regarding how long types of
organizations must retain different types of data. Data retention is part of the information
life cycle. The Sarbanes-Oxley Act is easily the most far-reaching law affecting the types of
data public companies must retain and the length of time they must retain that data. In
particular, IT departments must react to two parts of the law covered in Section 802(a):
Whoever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or
makes a false entry in any record, document, or tangible object with the intent to
impede, obstruct, or influence the investigation … shall be fined under this title,
imprisoned not more than 20 years, or both.
Yipe! But at least it also gives some idea as to the length of time companies need to retain
records:
Any accountant who conducts an audit of an issuer of securities … shall maintain
all audit or review workpapers for a period of 5 years from the end of the fiscal
period in which the audit or review was concluded.
It’s not that hard to keep contracts, accounts, audits, and such for five years, but
this also includes e-mail. Managing and storing e-mail for an entire company can be a
challenge, especially because e-mail is usually under the control of individual users (ever
deleted an e-mail?). SOX alone changed everything, requiring publicly traded companies
to adopt standard practices outlined in the law and making lots of storage providers very
happy indeed!
01-ch01.indd 55
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
56
EXAM TIP The information life cycle is generally understood to have five
phases, from creation to storage, usage, archival, and then destruction.
Data retention falls into cycles two and four. We’ll see cycle five a little later
in this module.
Data Sovereignty
Governments have laws in place to give them access to data. That data could help solve
crimes, protect people, and so on; and the desire for access is clear. The question that
begs in a world of multinational corporations and cloud computing as the normal way
to store data is, which laws apply to data stored in which countries? Let’s explore this
through a scenario.
Microsoft has servers based in Ireland. Some e-mail accounts hosted on those servers
belong to people who might have committed crimes in the United States. Microsoft
Corporation is a US-based company. If the US government decides that it needs access
to those e-mail account records, which US law or laws permit such access, and what can
or should Microsoft do in response?
The concept of data sovereignty determines that the laws of the country of origin of
data apply to that data. The e-mail accounts hosted by a server in Ireland (an EU member
nation), therefore, must abide by—and are protected by—EU laws, not US laws. This
isn’t just a hypothetical scenario, by the way. Microsoft argued and won against the US
government that US laws did not apply to its Ireland-based holdings.
Data Destruction
When it’s time to get rid of storage media, you should also destroy the data stored on
that media. But how do you destroy media in such a way to ensure the data is gone? Let’s
take a moment to talk about secure data destruction/media sanitization. NIST SP 800-88,
Rev. 1, Guidelines for Media Sanitization, provides some great guidelines (Figure 1-28).
Figure 1-28 NIST SP 800-88, Rev. 1
01-ch01.indd 56
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
57
The CompTIA Security+ exam covers a number of different data destruction methods
that apply to specific types of data. Stored data fits into one of two categories: legacy
media (paper, film, tape, etc.) or electronic media (hard drives, SD cards, optical media,
etc.). Each category has different methods for data destruction.
NOTE The terms data destruction, data sanitization, and data purging are
interchangeable.
Legacy Media
Given that most legacy media isn’t completely erasable, the best way to eliminate the data
is to destroy the media. Paper, film, and tape are all extremely flammable, so burning is an
excellent method to destroy the data. For “greener” organizations, pulping water-soluble
media (paper) enables them to recycle the media and not pollute the environment.
Electronic Media
Almost all electronic media is erasable, so in many cases you can nondestructively remove
the data. Simple erasing, however, even reformatting, isn’t enough. A good forensic
examiner can recover the original data from a hard disk that’s been erased as many as nine
times. You need to go through a specific wiping process that removes any residual data.
NIST SP 800-88, Rev. 1, describes the ATA Secure Erase command built into PATA and
SATA drives. Third-party solutions can help here. Several programs can perform a secure
erase. Figure 1-29 shows DBAN 2.3.0 (Darik’s Boot and Nuke), a popular secure erase
utility (and it’s free!).
Figure 1-29 DBAN 2.3.0 (Darik’s Boot and Nuke)
01-ch01.indd 57
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
58
To ensure complete data destruction, destroy the media. A common method is
degaussing the media through a degaussing machine. A degausser uses a powerful
electromagnet both to wipe the data and make the media useless.
Pulverizing or shredding are great methods for destroying media as well. Pulverizing
means to smash completely. Shredding works for both legacy media and electronic media.
A classic shredder can shred paper, optical media, and many types of flash media. There
are several types of shredding cuts (Figure 1-30).
Shredding doesn’t stop with paper! There are machines available that shred (or
pulverize, or crush) just about any media, reducing them to bits of metal for you to
recycle. You’ll see those machines, and much more about data sanitizing, in Chapter 5,
Module 5-7.
Privacy Breaches
We talked about data breaches back in Module 1-5 and the reputational and financial
impact to an organization. Organizational consequences of privacy and data breaches
involving PII or PHI have a whole order of magnitude more impact. You’ve likely heard
of data breaches of health insurance companies, dating Web sites, and other hosts of
PII and PHI. These breaches have led to horrific reputational damage, identity theft of
customers, intellectual property stolen (IP theft), civil court cases with massive fines . . .
and in a few cases, people going to jail. The serious consequences of privacy breaches like
these require organizations to address any incidents quickly and aggressively.
First, organizations that are subject to industry or governmental regulations, such
as PCI, HIPAA, and so on, are required to escalate these incidents by reporting to the
proper government agencies. These regulations are important. Before they came into
force, organizations would try to hide privacy breaches or even deny they happened at
all. Last, organizations, through moral or legal reasons, should provide public notification
and disclosure of the type of data exposed to lessen reputational damage and avoid legal
actions based on failure to disclose. An organization should not only make a public
notification of the breach, they also should make a best attempt to inform those affected.
Web sites such as https://haveibeenpwned.com, for example, provide the public with
easy access to determine if an e-mail address has been breached.
EXAM TIP Expect a question on the CompTIA Security+ exam that asks
about proper company response to breaches and private or sensitive data
loss. The organization must provide notification of breaches to customers,
escalation of response to government agencies, and public notifications.
01-ch01.indd 58
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-6: Data Security and Data Protection
59
Figure 1-30 Shredded drive
01-ch01.indd 59
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
60
Module 1-7: Personnel Risk and Policies
This module covers the following CompTIA Security+ objective:
• 5.3 Explain the importance of policies to organizational security
An organization’s users—the human beings who perform their jobs every day by using
the resources of the organization’s IT infrastructure—are also one of the biggest IT risk
issues faced by security professionals. Human actions, from accidental to innocent,
from incompetent to downright criminal, keep security pros awake at night in fear
and loathing.
But it doesn’t have to be that way. A well-organized risk management plan includes
detailed policies that define security controls to mitigate risk brought on by personnel.
This module explores the lifespan of an employee’s relationship with an organization, from
hiring day to exit day, and examines the risk concepts and security controls used to keep
users from trashing the place.
Specifically, the module starts with hiring and onboarding, then goes into detail on
personnel management policies. The module wraps up with discussions about user
training and policies that apply to user habits.
NOTE Policies in and of themselves do not provide security. Well-designed
policies implemented and followed diligently by users can provide security.
What people do matters a whole lot.
Hiring
Personnel risk management starts before the new employee ever steps into the infrastructure. In today’s security-conscious environment, a potential new hire is screened
heavily. At the very least, it’s common for someone in an organization to do a social media
analysis—checking Facebook or Instagram (or the current flavor of the day) for behavior
that doesn’t fit the company’s values—and a general Web search. Many organizations
perform background checks to look for potential issues, such as felony convictions, and to
verify résumé statements.
Any company with substantial intellectual property will require new employees—and
occasionally even potential candidates—to sign a non-disclosure agreement (NDA), a legal
document that prohibits the signer from disclosing any company secrets learned as a part
of his or her job.
Onboarding
Onboarding is the process of giving a new hire the knowledge and skills he or she needs to
do the job, while at the same time defining the behaviors expected of the new hire within
the corporate culture. A lot of onboarding has nothing to do with IT security, but some
part of the process usually is dedicated to helping new hires understand the expectations
01-ch01.indd 60
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-7: Personnel Risk and Policies
61
and attitudes toward IT security that are important to the organization. One of the biggest issues is their understanding of the organization’s personnel management policies.
You can’t be on
Facebook all day.
Just sayin. . .
New
kid!
Onboa
rd
talk
That Onboarding Moment
Personnel Management Policies
A personnel management policy defines the way a user works within the organization. An
organization will invest in one or more personnel management policies to help mitigate a
number of different types of personnel risks. Let’s go through all of these personnel management policies to see how they work to make an infrastructure less vulnerable to risks.
Standard Operating Procedures
An important part of the onboarding process is making sure new hires understand the
standard operating procedures (SOPs)—that is, how they do things according to the organization’s best practices—for their job functions. Some SOPs that are particularly important for IT security include login procedures, usable data storage locations, use of security
credentials, and procedures for lost or damaged equipment.
No, seriously.
Social media is
out. Right out.
New
kid!
S.O.P.
Necessary Knowledge
Mandatory Vacations
Many industries (for example, the US banking industry) require all employees to take off
work for a minimum of two weeks every year, a mandatory vacation. Mandatory vacations
are an important security control mainly to make it harder to perpetuate embezzlement.
01-ch01.indd 61
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
62
Any embezzlement scheme usually requires the embezzler to monitor orders
constantly, manipulate records, or deal with issues that might arise to keep themselves
from being detected.
NOTE Mandatory vacations have benefits beyond IT security, but for the
exam think “embezzlement.”
Job Rotation
Job rotation involves periodically switching people around to work in different positions.
This practice enables different people to become proficient in a variety of job roles so that
the organization doesn’t have to depend solely on one person to perform certain critical
functions or tasks. If something were to happen to an individual occupying a critical
position, for example, another person could step in to do the job.
When people become too comfortable with a job, they might believe that they can get
away with performing actions they are not authorized to perform. Rotating people into
different positions increases the potential to detect fraud or misuse in that position and
can discourage or prevent nefarious activities.
Job rotation is difficult for many organizations, for the same reasons that organizations
don’t always implement mandatory vacations. A shortage of trained personnel as well as
positions that require substantial training and commitment are two reasons why job
rotation isn’t always performed.
Separation of Duties
In the separation of duties concept, a single individual should not perform all critical or
privileged-level duties. These types of important duties must be separated or divided
among several individuals.
Separation of duties ensures that no single individual can perform sufficiently
critical or privileged actions that could seriously damage a system, operation, or the
organization. These critical or privileged actions can be split among two or more people,
requiring some level of checks and balances. Security auditors responsible for reviewing
security logs, for example, should not necessarily have administrative rights over systems.
Likewise, a security administrator should not have the capability to review or alter logs,
because he or she could perform unauthorized actions and then delete any trace of them
from the logs. Two separate individuals are required to perform such activities to ensure
verifiability and traceability.
Separation of duties is considered an administrative control, because it’s related to
policy. Closely related to the concept of separation of duties is the technique of using
multiperson control to perform some tasks or functions.
NOTE A related concept to separation of duties is the principle of least
privilege—don’t give people access to anything beyond what they need to
accomplish their jobs. CompTIA adds least privilege as a personnel policy,
but it’s more of a principle. You’ll find more discussion in Chapter 3.
01-ch01.indd 62
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-7: Personnel Risk and Policies
63
Multiperson Control
Multiperson control means that more than one person is required to accomplish a specific
task or function. An organization might implement multiperson controls, for example,
to ensure that one person, by herself, could not initiate an action that would cause detrimental consequences for the organization, resulting in loss of data, destruction of systems, or theft.
Organizations implement multiperson control by dividing up critical tasks to require
more than one person to accomplish those tasks. In a banking environment, for example, one
person may be authorized to sign negotiable instruments, such as checks, for up to $10,000.
Beyond the limit of $10,000, however, requires two signatures to process the transaction.
This would help prevent one malicious person from stealing more than $10,000. Although
it’s conceivable that two people could conspire to use their assigned abilities to commit an
unauthorized act, fraud in this case, separation of duties and multiperson control make
this more difficult. In this case, counter-signing a check is a multiperson control. In an
information security environment, multiperson control could be used to access sensitive
documents, recover passwords or encryption keys, and so on.
Training
User training should take place at two very distinct points in the user’s relationship with
an organization: during the onboarding process to get the new hire to understand and
subscribe to critical policies and good user habits and, possibly even more importantly,
as an ongoing continuing-education process. Let’s look at role-based training and various
training techniques.
NOTE Just as policies do not achieve security if they are not implemented,
training does not achieve security if its lessons aren’t implemented. Users
need ongoing, memorable training, because people forget details over
time or, worse, choose not to follow best practices because they’re too hard.
Training requires enforcement to make it stick.
Role-Based Training
User training differs according to the role an individual plays in an organization. Rolebased training targets five broad categories: user, privileged user, executive user, system
administrator, and data owner/system owner. Let’s look at all five.
User A user must understand how his or her system functions and have proper security
training to recognize common issues (malware, unauthorized user at his or her system, etc.).
Privileged User A privileged user has increased access and control over a system,
including access to tools unavailable to regular users. Like a regular user, the privileged
user needs a basic understanding of his or her system’s functions; the privileged user must
also have security awareness that ties to access level. A regular user may run anti-malware
software, for example, but a privileged user may update the anti-malware program as well
as run it.
01-ch01.indd 63
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
64
Executive User An executive user concentrates on strategic decisions including policy
review, incident response, and disaster recovery.
System Administrator The system administrator has complete, direct control over a
system. His or her training would include best practices for adding and removing users,
applying permissions, and doing system maintenance and debugging.
Data Owner/System Owner From a role-based training aspect, these two otherwise
slightly different functions are very similar in that in almost all cases the data owner is
the organization. In these cases, the main security role here is to know how to delegate
security awareness to the proper authority. For data, this is usually the data custodian; for
systems, it is usually the system administrator.
Training Techniques
Ongoing user training is critical to keep users aware of potential attacks on the organization’s infrastructure. The downside of ongoing training is that it can get very, very boring,
and users will tune out or ignore the training. Thus, keeping users’ attention requires
incorporating a diversity of training techniques. Change those PowerPoint presentations
into videos. Change those videos into games. Change those instructional memos into
classroom training. With computer-based training (CBT) these days, it’s easy to provide
diversity in training.
Gamification Gamification turns learning about security into games. The term
encompasses a wide variety of activities, from tablet-based mini games to full-on
competitions among users that feature points, badges, a leaderboard, and more.
Capture the Flag Capture the flag means to direct someone to accomplish something
on a remote system. For training purposes, we can challenge entry-level security personnel
to apply what they’ve learned in a controlled environment. It’s fun to talk about SQL
injections or cross-site scripting, but it really lights people up the first time you let them
do these attacks. (And it’s best if the attacks don’t actually destroy your network or
someone else’s network.) See Modules 7-1, 11-3, and 12-2 in later chapters for discussion
of specific cyberattacks.
Phishing Campaigns Phishing attacks represent the greatest threat to company security
that involves users specifically. Phishing is an attempt to get personal information from
people through e-mail, social media, instant messaging, and other forms of electronic
communications. The most classic form of phishing is sending e-mail messages with
links to fraudulent Web sites that purport to be legitimate Web sites. It might look like
a message from your bank, but that “link” goes to the fraudulent Web site to grab your
information.
The best way to create user awareness about phishing is through an in-house phishing
campaign. Send out e-mail messages to your users and see just how many of them go to
the fraudulent Web site you’ve created. Phishing campaigns are a way to see who needs
training. Not comfortable making a phishing campaign from scratch? Plenty of vendors
sell software packages or Web sites for phishing simulations.
01-ch01.indd 64
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-7: Personnel Risk and Policies
65
Policies
If people are going to use your organization’s equipment, they need to read, understand,
and, in most cases, sign policies that directly affect the user’s experience. Two policy types
handle this job: acceptable use policies and security policies.
Acceptable Use Policy/Rules of Behavior Policy
An acceptable use policy (AUP), also called a rules of behavior policy, defines what a user
may or may not do on the organization’s equipment. These policies tend to be very
detailed documents, carefully listing what users may and may not do. Some examples of
issues covered in an AUP include
•
•
•
•
Company data can only be used for company business uses.
Users will not access illegal or unacceptable Internet sites.
Users will not introduce malware into a system.
Users will work aggressively to protect company systems and data.
General Security Policies
People use social media networks and personal e-mail to exchange information and photographs and keep in touch with family members and friends. Unfortunately, some people
post way too much information on social media networks and through social media
applications—hello, Snapchat—decreasing their (and others’) level of privacy.
Although organizations may have very little control over what individual employees
post to social media sites and send in their e-mail, it’s a good idea to create a relevant
policy and train users on what they should and should not post on social media or
e-mail to others. For example, users should be briefed that they should not post any
sensitive or proprietary information on their social media sites that would compromise
the organization or result in any type of unauthorized access or breach of information.
User Habits
In addition to policy-related topics, topics that concern the actions and habits of users
must be addressed in training programs. Many such items will also be set forth in policy,
but that doesn’t mean that users don’t need training and reinforcement to break bad
habits where they exist. We’ll look at some of these bad habits in the next few sections
and, where appropriate, discuss how they also may be established in policy and why they
should be included in any organizational information security training program.
Password Behaviors
By now, you should be aware that password issues can pose serious problems in an organization. Users forget passwords, write them down where they can be easily discovered
by others, share passwords, use simple passwords, and so on. These are the causes of
most password security issues, and the reasons why users need training regarding how
01-ch01.indd 65
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
66
to create and use passwords properly in the organization. Following are some key points
that should be emphasized:
•
•
•
•
•
Users should create long passwords.
Users should create complex passwords.
Users must try to create passwords that don’t use dictionary words.
Users should never share their passwords or write them down.
Users should change their passwords often to thwart password attacks.
Of course, you should also use technical measures to reinforce some of these rules,
including configuring systems to allow only complex passwords of a certain length, as
well as password expiration rules. Periodically check around the users’ work areas to
make sure they haven’t written down passwords, and ensure that multiple people aren’t
using the same accounts and passwords to log into systems. In addition, check to see if
your password policies are being complied with by occasionally engaging in password
cracking yourself—with the appropriate approval from management, of course. The
problems associated with password behaviors, as well as the speed and ease with which
passwords can be cracked by sophisticated attackers and systems, are the main reasons
why organizations should consider multifactor authentication methods. (Check out
Chapter 3, Module 3-2 for more details on multifactor authentication.)
Clean Desk Policies
A clean desk space policy isn’t about asking employees not to leave old soda cans and candy
wrappers on their desks! Instead, it creates a process for employees to clear sensitive data
out of work areas so that it is stored securely at the end of the workday. Sensitive data
must not be exposed to unauthorized people such as janitors, maintenance personnel,
guards, and even other employees when an authorized employee is away from his or
her desk.
A clean desk policy can apply to any time employees are using sensitive data at their
desks and they need to leave the area. The goal is to make sure that sensitive data is not
unattended and available. This policy should be developed and implemented as a formal
written policy, and all employees should be trained on it.
Preventing Social Engineering Attacks
Users should be briefed on the general concepts of social engineering and how it works,
and they should also be briefed on the specific types of attacks they may encounter, such
as shoulder surfing, tailgating, dumpster diving, and so on. By being aware of these
attacks, they can do their part in helping to prevent them. Tailgating, in particular,
exposes the organization and others to serious harm or danger if an unauthorized person
is allowed to enter the facility. Users should be trained on how to spot potential social
engineering attacks, including tailgaters, and how to respond to them by following organizational policies and procedures.
01-ch01.indd 66
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-7: Personnel Risk and Policies
67
Personally Owned Devices
Users should get training on risks posed by bringing personally owned devices to work and
how they might help prevent these risks. Using such devices in the organization can lead
to a loss of privacy by the individual, as well as loss of both personal and organizational
data if the device is lost or stolen. If the organization allows individuals to manage their
own devices, while allowing their use in the organization to process the organization’s
data, then the organization incurs a huge risk. Users must be trained on those risks and
how serious their responsibilities are.
If the organization centrally manages mobile devices with mobile device management
(MDM) software, the risk is significantly lowered because the organization can use
remote capabilities to lock, encrypt, or wipe data on the device. Users should be briefed
on these capabilities if they are used within the organization to manage devices, because
users must accept organizational control of their devices and the policies that may be
enforced on them.
Many companies around the globe have clear policies on bring your own device (BYOD),
the catchy phrase for incorporating employee-owned technology (such as laptops, tablets,
and smartphones) in the corporate network. As the trend intensifies, just about every
organization should have such policies.
Offboarding
When employees leave an organization, the organization must perform a number of
important steps to ensure a tidy and professional separation. This process, called
offboarding, varies among organizations, but includes several common steps:
• Termination letter
• Equipment return
• Knowledge transfer
Termination Letter/Exit Interview
An employee should provide a written termination letter, defining the final day of employment. In many organizations, this is also the time to perform an exit interview. Exit
interviews give the soon-to-be-separated employee an opportunity to provide insight to
the employer about ways to improve the organization. Some example questions include
• What are your main reasons for leaving?
• What procedures can we improve upon?
Return of Equipment
All organizations should use a checklist to ensure that all equipment owned by the organization is returned by the departing employee. This includes computers, phones, and
tablets, as well as any other issued equipment. Also, this is the time to return keys,
ID cards, and other access tools.
01-ch01.indd 67
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
68
Knowledge Transfer
Knowledge transfer is the process that makes sure a separating employee provides any
and all knowledge needed by the organization. In some cases knowledge transfer may last
weeks. In other cases it’s no more than part of the exit interview.
Module 1-8: Third-Party Risk and Policies
This module covers the following CompTIA Security+ objectives:
• 1.6 Explain the security concerns associated with various types of
vulnerabilities
• 5.3 Explain the importance of policies to organizational security
Every organization interacts with third parties. Every infrastructure has vendors,
contractors, business-to-business (B2B) intranets, partnerships, service providers—the
list of third parties touching an infrastructure in one way or another is endless. The
challenge with all these third parties is risk. For example, in 2019, two Facebook apps—
developed by third parties that interact with Facebook—gashed out over 500 million
personal records in hacks. Those records included usernames, groups, passwords, likes,
movies, photos, music, and much more. Home Depot in 2014 had over 50 million
customer credit card numbers stolen by a hack of its third-party payment systems. This
list can go on for a very long time.
What can IT security professionals do to mitigate risks potentially created by those
outside the infrastructure? General security practices hold third parties to certain levels
of security through several types of agreements (Figure 1-31). This module considers the
concept of third-party risk and risk management and then looks at some of the more
common types of agreements used between parties.
Third-Party Risk Management
If your organization works with vendors, then it must use vendor management, the process
of handling everything from selecting vendors and negotiating contracts or agreements
with them to eventually terminating those vendor relationships. Vendor management
is critically important when it comes to IT security.
Figure 1-31
It’s all in the
agreement.
01-ch01.indd 68
Agreement
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-8: Third-Party Risk and Policies
69
It’s said that the devil is in the details; this is definitely true when it comes to security
considerations that involve multiple parties. When you negotiate a contract with a
third-party provider or business partner, you must ensure that several considerations
are specified in your business agreements. You should have representatives from your
security, privacy, and legal departments review any business agreements with third parties
to ensure that certain security-related stipulations are included in the agreements and the
day-to-day business transactions with outside entities. Let’s look at a few of these security
considerations next.
Data Storage
Whether it’s a supplier accessing your inventory databases or a group of programmers
creating your next great Web app, vendors will need to access data stored on your organization’s systems directly or store your organization’s data on their own systems. Controls
over data storage must match the same level regardless of whether your organization or
the third party maintains that data.
Just as your organization has its own security policies, procedures, and processes, thirdparty organizations have their own as well. Before your organization conducts business
with another organization, the two parties need to negotiate how to handle any conflicts
between their respective policies, procedures, and processes regarding data storage that
might affect the business relationship.
In some cases, contract agreements may specify security policies and procedures that
both parties must follow regarding shared data or contracted services. This applies to all
third parties: software developers, service providers, business associates, subcontractors,
and so on. Security policies and procedures agreed upon in advance ensure that external
entities protect your organization’s data to the level your organization would protect the
data internally.
Data Privacy Considerations
Your organization must ensure privacy when exchanging data with any third party. If you
contract services with a third party, make sure to agree on data privacy safeguards prior
to entering into any business agreements. Privacy considerations include employee data
privacy; privacy related to the type of data itself, such as financial data, personally identifiable information (PII), and protected health information (PHI); and how the third
party will treat this data.
Legal or regulatory governance may provide you some protection, in that the third party
has to obey laws with regard to data privacy, but you may find that your organization has
additional requirements that need to be met by the third party. It’s also possible that the
agreement could be too restrictive in favor of the service provider, and your organization
requires more flexible terms to ensure data privacy to your standards.
In any case, ensure to specify in any agreements made between your organization and
a third-party provider or business associate how to handle private data, including how
it is stored, processed, accessed, and especially transmitted to other third parties. For
example, the HIPAA security regulations require that any third-party providers (referred
to as “business associates” in HIPAA parlance) that could possibly have access to PHI be
subjected to strict access control and handling requirements for that type of data.
01-ch01.indd 69
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
70
Unauthorized Data Sharing
Security policies set forth in third-party agreements should cover unauthorized data sharing and access control. In addition to setting forth minimum requirements for access
control, which include administrative, technical, and operational controls, the agreement
should set forth mechanisms that an organization must use in order to share data with
other authorized parties, as well as conditions under which the third party must comply
with the law in sharing data with government and law enforcement agencies. The agreement should also cover how the organizations will respond in the event of a data breach
or unauthorized access. Last, the agreement specifies who is liable for any fines or damages stemming from unauthorized data sharing.
Data Ownership
Organizations must define the types of data to which they claim ownership initially and
how they would classify that data in terms of its sensitivity and protection requirements.
The organizations must also determine how they will decide on ownership of data that is
created during the contract term and who will control it. Some third parties that process
data for an organization specifically agree that any data created during the contract term
still belongs to the originating organization, but other third-party providers may maintain that they have legal ownership over any data that is created on their systems, based
upon their unique processes or proprietary methods. This issue must be resolved prior to
engaging in business with a third party. Issues with data ownership can lead to disputes
over copyrights and patents, as well as unauthorized disclosure issues between two parties
that both claim to own the data produced.
Supply Chain Concerns
Ensuring the security of supply chains—equipment, software, online services that collectively make products happen—requires proactive measures. IT security folks conduct
supply chain assessments to ensure the availability of those critical components, to secure
alternative processes, and to verify the security of data.
Two important aspects of supply chain assessment are end of life (EOL) and end of
service life (EOSL). These two terms are similar but have important, if subtle, differences.
All products have a life cycle. Software versions are abandoned after a new version
comes out. When a software or hardware vendor releases a new version of its product, it
abandons any effort to update, market, or sell the prior version.
Vendors must let us know when a product reaches the end of its life. A lack of vendor
support clearly marks a risk in dealing with third parties. A vendor releases an EOL to
inform its customers that it will no longer sell a particular product, although the vendor
may provide upgrades, patches, or maintenance.
End of service life marks the moment that an organization stops supporting a product.
Microsoft might continue to provide updates and security patches for Windows 8.1, for
example, but Highland Gadgets Corporation no longer provides support for operating
systems older than Windows 10. The latter enterprise therefore announces the EOSL for
Windows 8.1.
01-ch01.indd 70
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-8: Third-Party Risk and Policies
71
System Integration
There are many situations where two organizations might find it beneficial to perform
many types of system integration, linking or matching networks, software, security,
services, and so forth. To share data securely, for example, a third-party vendor might
integrate its domain to your Active Directory forest and then create trust relationships.
System integration comes with all the risks of any single system. Users from the
third party must be created with proper passwords. Both parties must use careful trust
relationships to make sure no one has access to the other’s data and resources unless
needed. Third-party systems need acceptable anti-malware … this list goes on and on!
Measurement Systems Analysis
Having systems in place to test or check production and services provides necessary data
about third-party contributions to the organization. Measurement systems analysis (MSA)
tests the accuracy of those systems and data collection using math.
As an example of how MSA is helpful in managing third-party risk, a supply-chain
supervisor gets complaints that some part coming from Source Alpha seems to be causing
all sorts of problems with the end product. The supervisor checks production and finds
that Source Alpha follows every guideline for production to the letter. What could cause
the problem? If the calibration or measurements used for production were off by just a
little, the end product could be off by a lot. MSA checks the accuracy of the measurements
to discover errors.
Agreement Types
When your organization enters into any type of business partnership or agreement with a
third-party business partner or service provider, the agreements and contract documents
created serve to protect both organizations from a legal perspective as well as establish
the terms of the business relationship. You’ll need to be familiar with several types of
documents for the exam, covering various aspects of data protection, interoperability,
interconnection, and so on. They basically define the interoperability relationship between the two (and sometimes more) parties. Obviously, these types of agreements will
be negotiated by the business contracting and legal personnel in each organization, but
advice and input should also come from other affected functions within the businesses,
such as security, privacy, IT support, and so on. Let’s take a look at a few of these types
of business agreements.
Sales and Purchase Agreement
A sales and purchase agreement (SPA) is a legal document obligating a buyer to buy and
a seller to sell a product or service. SPAs are critical and common for large, complex
purchases. An SPA not only defines prices but payment amounts and time frames for
deposits. On the seller’s side, an SPA defines how and when the property is to be transferred to the seller, acceptable condition of the goods or services, and any details that
might impede the transfer.
01-ch01.indd 71
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
72
You’ll often see SPAs used in the cabling industry. Pulling cable, especially in an existing
building, is complex. A good SPA for cabling covers all of the issues, such as when the
installation will take place, when it will be complete, what types of cabling will be used,
where the cable runs will go, how the runs will be labeled, how technicians will enter your
facility, and whether the vendor is paid at once or at certain completion points.
Service Level Agreement
A service level agreement (SLA) is a legal document that defines the level of service that
a third-party provider guarantees it will provide to the organization. The provider guarantees the service that it provides to be up and running and usable by the organization
either for a certain percentage of time or to a certain level of standards. If the provider is
storing or processing data for the organization, the SLA may state that the data will be
available in a particular format, through a particular application or system, in a specified format, and to authorized users within the organization. If the provider is offering
a service such as outsourced network or Web-based transactional services, for example,
the SLA states that the services will be available for authorized users whenever they need
them. The SLA may describe technologies and redundant systems used to ensure availability for the customer’s data and services, as well as specify what actions the provider
will take in the event of incidents that may affect availability of services, and how long
the provider has to restore full access for the organization. Finally, most SLAs specify
penalties for failure to provide the specified service.
NOTE Time is an important element for an SLA—length of time of the
agreement, uptime guarantees, and response time for problems.
Business Partnership Agreement
The business partnership agreement (BPA) specifies what type of relationships the different
parties will have, usually from a legal perspective. An entirely separate company may be
established for the business venture, combining elements of both individual businesses;
this is usually for long-term or large-scale ventures. Usually, however, legal agreements
dictate the type of partnerships or customer–provider relationships. These partnerships
are usually distinguished by scope, term length, and level of product, service, data access,
and so forth provided to each party in the agreement.
NOTE A BPA rarely has a time frame but it will have clear methods for
ending the partnership.
Memorandum of Understanding
A memorandum of understanding (MOU), sometimes called a memorandum of agreement
(MOA), is a document often used within a large business or government agency that
01-ch01.indd 72
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Module 1-8: Third-Party Risk and Policies
73
establishes an agreement between two independently managed parties that may be working together on a project or business venture. In this type of agreement, a contract isn’t
necessarily in place (nor required), simply because both parties work for the same overall
organization. An MOU is established so that each party will agree to provide certain
services or functions to the other party. Since both parties may work for the same higherlevel organization, money doesn’t necessarily change hands, but it could in a fee-forservice model where funds are transferred from one party’s account to another’s within
the same company, for example. An example of this type of MOU would be if a division
of the company provides data center services to other divisions of the same company;
this MOU would outline the division’s responsibilities and guaranteed levels of services
to another division that uses it for data storage and protection.
You’ll also see an MOU type of agreement between different government agencies;
a military base, for example, may agree to provide network infrastructure services for
another nonmilitary government agency that resides on the base (think of NASA, for
example, which may have divisions housed on various US Army and US Air Force bases
throughout the world).
You could also see an MOU between two businesses, of course, as part of a larger
contract agreement; this may simply serve to define functions and interactions between
two lower-level functions or departments located in each organization that weren’t
specified in the overall contract. The MOU may be agreed to and signed off by the
middle-level managers of each department.
Non-Disclosure Agreement
There are plenty of situations where your organization needs to provide a vendor private/
proprietary information. A non-disclosure agreement (NDA) is a legally binding agreement
by your vendor that it will not release or expose the information your organization provides to it to any person not specifically listed in the NDA.
Interconnection Security Agreement
Telecommunication companies will use an interconnection security agreement (ISA)
when connecting to each other’s network to handle essential details about technology
and personnel. An ISA is not a legal document used to cover technical issues between
two parties. An ISA may detail how two independently owned and managed network
infrastructures are connected to each other. The businesses that own each network may
require interconnections to share and access each other’s data, and may use this type of
agreement to specify the technical details needed for the connections. The ISA may specify security requirements, such as firewall and VPN use, encryption levels and methods,
authentication types, allowed protocols, and so forth. The ISA may be an attachment or
amendment to the overall contract between parties.
Verifying Compliance and Performance
Any agreement between business parties and providers should specify how each party can
verify compliance and performance standards. The parties may specify certain common
01-ch01.indd 73
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
74
standards and performance levels that each party has to meet, as well as legal or governance compliance. Audits or periodic inspections may be used by either party to verify
the other party’s compliance and performance. Access control checks, data integrity
checks, and review of availability mechanisms (such as backup and restore devices and
processes) may be addressed in this part of the agreement. Performance and security metrics such as throughput, availability times, backup frequency, limits on data permissions,
and so forth may be specified and used to measure whether or not each organization is
adhering to compliance and performance standards. Details regarding noncompliance
and failure to perform up to standards should also be addressed in such agreements to
give each party an avenue of redress against the other.
Questions
1. A script kiddie is a classic example of a(n) __________.
A. attacker
B. criminal
C. threat
D. threat actor
2. Risk is often considered formulaically as
A. Risk = Probability × Threat
B. Risk = Threat × Impact
C. Risk = Vulnerability × Threat
D. Risk = Probability × Impact
3. A company makes a document called “Acceptable Use” that defines what the
company allows users to do and not do on their work systems. The company
requires new employees to read and sign this. What is this type of document called?
A. Standard
B. Policy
C. Procedure
D. Control
4. A __________ is a description of a complex process, concentrating on major
steps and the flows between the steps.
A. law
B. procedure
C. framework
D. control
01-ch01.indd 74
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Questions
75
5. A No Trespassing sign is an example of a __________ control.
A. deterrent
B. preventive
C. detective
D. corrective
6. A lock on the door of a building is an example of a __________ control.
A. deterrent
B. preventive
C. detective
D. corrective
7. An asset’s exposure factor is measured in __________.
A. dollars
B. percentages
C. units
D. reputation
8. Which of the following equations is correct?
A. Single-Loss Expectancy = Asset Value × Exposure Factor
B. Annualized Rate of Occurrence = Asset Value × Exposure Factor
C. Annualized Loss Expectancy = Asset Value × Exposure Factor
D. Single Rate of Occurrence = Asset Value × Exposure Factor
9. Financial is one type of business impact. Which of the following names another?
A. Pride
B. Technical
C. Device
D. Reputation
10. Which of the following represents the component manufacturer’s best guess
(based on historical data) regarding how much time will pass between major
failures of that component?
A. MTTR
B. MTBF
C. MTMB
D. MOAB
01-ch01.indd 75
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 1
Chapter 1: Risk Management
76
Answers
1. D. A script kiddie is a classic example of a threat actor.
2. D. Risk is often considered formulaically as Risk = Probability × Impact.
3. B. Policies are normally written documents that define an organization’s goals and
actions. Acceptable use policies are very common.
4. C. A framework is a description of a complex process, concentrating on major
steps and the flows between the steps.
5. A. A deterrent control deters a threat actor from performing a threat. A No Trespassing
sign is a good example.
6. B. A preventive control stops threat actors from performing a threat. Locks are a
notable example.
7. B. Exposure factor is measured in terms of a percentage of loss to the value of
that asset.
8. A. The only correct equation is Single-Loss Expectancy = Asset Value × Exposure
Factor.
9. D. Of the choices listed, only reputation is a common business impact.
10. B. Mean time between failures (MTBF) represents the component manufacturer’s
best guess (based on historical data) regarding how much time will pass between
major failures of that component.
01-ch01.indd 76
25/03/21 2:11 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
CHAPTER
Cryptography
2
Now he had learned that a machine, simple in its design, could produce results of
infinite complexity.
—Neal Stephenson, Cryptonomicon
Every organization has private data, data accessible by authorized users and not accessible
to outsiders. This data includes customer databases; e-mails with critical business strategies; file servers with proprietary recipes and manufacturing processes; cameras sending
images of security gates; and Web sites where people type in their names, addresses, and
credit card information. Organizations need to keep this data secure. Encryption gives
organizations the tools to accomplish this goal.
Encryption is a reversible process of converting data such that to a third party the data
is nothing more than a random binary string. Note the phrase reversible process. This
means a good encryption method must make it easy for someone who knows something
secret to encrypt the data and to reverse the process to return the data from an encrypted
state to an unencrypted state. Decrypting makes encrypted data readable.
This chapter explores cryptography, the science of encrypting and decrypting data, in
nine modules:
•
•
•
•
•
•
•
•
•
Cryptography Basics
Cryptographic Methods
Symmetric Cryptosystems
Asymmetric Cryptosystems
Hashing Algorithms
Digital Signatures and Certificates
Public Key Infrastructure
Cryptographic Attacks
Other Cryptosystems
77
02-ch02.indd 77
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
78
Module 2-1: Cryptography Basics
This module covers the following CompTIA Security+ objectives:
• 2.1 Explain the importance of security concepts in an enterprise environment
• 2.8 Summarize the basics of cryptographic concepts
Cryptography provides methods and technologies to enable people and systems
to exchange information securely, from local connections to enterprise environments
that span the globe. Cryptography ensures confidentiality—the encrypted data can be
unencrypted and read only by the intended recipient. Cryptography also affords integrity,
so the recipient can know that the data received matches the data sent—that the data
hasn’t been altered in some way. To accomplish these tasks, developers and programmers
have created immensely complicated and awesome systems…and those systems come
with a ton of epic jargon and details.
This module begins the exploration into the systems that make up modern
cryptographic methods. It starts with basic building block concepts, such as plaintext
and ciphertext. You’ll look at early cryptography to understand the methods with simple
examples. The module finishes with an overview of the essential components of every
cryptographic system.
Essential Building Blocks
Cryptography has terms that describe the state of data, tools used to affect that data, and
the movement of data from one state to another. This section discusses these terms:
• Plaintext and ciphertext
• Code and cipher
• Data at rest, data in use, data in transit
Plaintext and Ciphertext
IT professionals use the terms plaintext and ciphertext to describe the current readability
of data. Humans and machines can easily read plaintext. Ciphertext, on the other hand,
is unreadable. The process of converting plaintext information into ciphertext information is called encryption. The goal of encryption is to obfuscate the plaintext—to make
it unreadable, to look as though it were simply a random jumble of data. Essentially,
encryption is about data protection. The reverse of encryption, converting ciphertext back
into plaintext, is called decryption. Figure 2-1 shows the icons used here when discussing
plaintext and ciphertext.
NOTE Don’t mistake the “text” portion of the words plaintext and ciphertext
to mean only letters of the alphabet. Any form of easily readable binary data
is plaintext. Any form of encrypted binary data is ciphertext.
02-ch02.indd 78
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-1: Cryptography Basics
79
Figure 2-1
Plaintext and
ciphertext
Plaintext
Ciphertext
Lorem ipsum dolor
sit amet, conse
ctetur adipiscing
elit, sed do eius
mod
12 46 5e 4e f0 5a
fd c4 9f db 50 10
2b ff 26 08 c2 2a 9b
ab a5 78 65 95 d1
14 9c 67 a9 47 39
db f8 d2 90 83 a6
Code and Cipher
IT professionals use the terms code and cipher to describe generically the ways tools
encrypt and decrypt. A code is a representation of an entire phrase or sentence, whereas
a cipher tends to represent text on a character-by-character basis. For example, a coded
version of the phrase “We attack at dawn” might be “Mother bought some brown eggs
at the store.” Codes are not typically transformative; that is, there is usually no formal
process to convert the true meanings of messages into their coded equivalents or back.
Codes usually require a codebook, a predefined dictionary that translates codes to their
plaintext messages and back. The need for a codebook limits the range of messages that
can be sent and received via codes. Codes were common before computers, but are not
at all common today in modern cryptography.
Ciphers, on the other hand, use some form of formal, usually mathematical process to
work instead of a fixed codebook. This makes the range of potential messages that can be
sent using ciphers essentially unlimited, because these processes are usually done on the
fly. Modern cryptographic methods with computers tend to use ciphers.
You may sometimes hear the terms encode and decode (as well as encipher and decipher)
thrown around. In encoding, data transforms, changes from one form to another. For
example, you can encode a sound file from uncompressed WAV format into an MP3 file
format. This saves space, but has nothing to do with security. In cryptography, encipher
and encrypt mean the same thing, although the former is not in common use. Since
IT security focuses on ciphers, this book sticks to the terms that apply to ciphers: encrypt
and decrypt.
NOTE Codes are entire words and phrases; ciphers are individual characters.
The cryptography methods discussed in this book focus on ciphers.
Data at Rest, Data in Use, and Data in Transit
Dealing with cryptography for computer data depends on the location of the data and
the actions of that data at any given moment. The process of encrypting and decrypting data sitting on a hard drive, for example, differs from the process of encrypting and
02-ch02.indd 79
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
80
decrypting data moving wirelessly between a wireless access point and a wireless client.
Three terms define the current state of data:
• Data at rest
• Data in use
• Data in transit
Data at Rest Data at rest describes data that resides in storage. This data is not currently
accessed, transmitted, or received, nor used by the computer. Data at rest is normally
represented by data stored in static files on a hard drive or other storage media, when
the device that holds that media is powered down. In other words, data on a laptop
computer, powered down and sitting in Steve’s bag, is data at rest.
NOTE Once Steve has logged into his computer at the airport lounge, the
data on the laptop’s SSD could change at any time. So is it truly data at rest?
Cybersecurity professionals argue this point a lot, and some call the data
subject to change data at rest (inconstant). You won’t see that phrase on the
CompTIA Security+ exam.
Data in Use Data in use describes data currently in use by a computing device and not
at rest or in transit. Data in a computer’s RAM and accessed by the computer’s CPU,
operating system, and applications is data in use. Operating systems and applications
take data at rest and put it into use on a constant basis, transforming it, using it as input
to processes, and so on. A Microsoft Word document Susan is currently editing is an
obvious example.
Lots of techniques target data in use. Shoulder surfing—a social engineering technique
where someone literally or figuratively looks over a user’s shoulder to view/record the
contents on the screen—can grab data in use. A fairly simple USB keycatcher—easy to
install when a user isn’t looking—can record or transmit via wireless everything the user
types. Data in use is very much data in danger!
EXAM TIP The CompTIA Security+ objectives use the term data in processing
as an alternative label for data in use. Don’t be thrown off by the odd term.
Data in Transit Data in transit describes data currently in transport. This data is being
transmitted or received from one person or host to another. Examples of data in transit
include information moving over a network, over an Internet connection, from computer
to computer over an Ethernet connection, or even over wireless networks. The data is not
in storage; it has been transformed and formatted to be transmitted and received.
Data in transit has high requirements for confidentiality. It’s relatively easy for
malicious actors to intercept transmitting data, so we need good encryption. Data in
02-ch02.indd 80
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-1: Cryptography Basics
81
transit also has very high requirements for integrity. The recipient must have assurance
that the data received is the same as the data sent.
EXAM TIP The CompTIA Security+ objectives describe a key facet of
data protection as dealing with data in transit/motion. The industry term
used here, data in transit, means the same thing. Don’t get tripped up by
the wording.
Outstanding! The module has covered enough terms to enable a brief survey of the
history of cryptography. Pay attention here, as almost everything done hundreds of years
ago is still used today on modern computers.
Early Cryptography
People throughout the past few thousand years have used cryptography to protect personal secrets, military troop movements, diplomatic messages, and so on. Historians have
discovered several examples of the uses of crude, but effective, cryptographic methods,
such as the Spartan scytale, which was a baton or stick with a strip of parchment wound
around it several times, from one end of the stick to the other (Figure 2-2). After the
parchment was wrapped on the baton, a person wrote a message in plaintext. Once the
parchment was removed from the stick, the words on the strip of parchment made no
sense, since they were effectively encrypted. To “decrypt” the message, the receiver had
to know the exact dimensions of the baton and have an identical one so that he could
rewrap the parchment the same way around the baton and read the message.
Figure 2-2
Author’s homemade scytale
(Attack at dawn)
02-ch02.indd 81
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
82
Other historical uses of cryptography involved using different techniques to scramble
letters of the alphabet so that only the sender and recipient would know how to
unscramble and read them. The next sections of the chapter discuss those methods.
Still other, more modern ways of using cryptography involved the use of specially built
machines to encrypt and decrypt messages. The classic example is the Enigma machine
used by the Germans during World War II. This machine used encryption techniques
that were considered unbreakable, until Dr. Alan Turing, a British mathematician, figured
out how the machine worked and the methods it used to encrypt its information. Turing,
now considered the father of modern cryptography and, to a large degree, computers,
decrypted intercepted German messages. The capability of the British government to
decrypt German military communications gave the Allies incredible insight into enemy
troop movements, invasion plans, and so forth, effectively turning the tide of the war.
Alan Turing didn’t invent cryptography, but many of the concepts used today were
quantified by him in the huge number of academic papers Turing wrote. Turing clarified
the ideas of substitution and transposition, the two pillars of cryptography.
Substitution
A substitution cipher swaps letters of the alphabet for other letters. To make a substitution
cipher work, rotate the letters of the alphabet by some number of characters, then swap
the letters that will substitute for them. A typical rotation shifts the alphabet 13 characters, called ROT13. Here’s the standard alphabet:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
And here’s the same alphabet with ROT13 applied:
NOPQRSTUVWXYZABCDEFGHIJKLM
Note that the letter N replaces letter A. Letter G replaces letter T. Line the two up so you
can see the full replacement scheme:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
NOPQRSTUVWXYZABCDEFGHIJKLM
Now apply an example. The plaintext phrase, WE ATTACK AT DAWN, would
change to JRNGGNPXNGQNJA in ROT13 encryption.
NOTE ROT13 is not the only ROT cipher. You can do ROT2, ROT10, ROT25,
and so on.
This type of cipher is also called a shift cipher because it essentially shifts the entire
alphabet down 13 spaces and then starts over with the first letter. Still other methods of
using substitution ciphers might use different words to begin the substitution alphabet
and then follow those words with the rest of the alphabet in normal order.
02-ch02.indd 82
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-1: Cryptography Basics
83
NOTE Julius Caesar used a substitution cipher in his military campaigns for
sensitive communications. Thus, a substitution cipher is commonly referred
to as a Caesar cipher.
A Vigenère cipher takes the Caesar cipher to its extreme. Figure 2-3 shows a tabula
recta, a table of all 26 possible ROT ciphers that creates a grid. The Vigenère cipher uses
a repeating key word to determine which row to use for encryption.
Here’s how to use the tabula recta and key word to encrypt the plaintext. Find the
plaintext letter at the top (column), then use the key word letter along the side (row).
The matching column and row intersection provides the encrypted letter. An example
will make this clear.
Again our plaintext is WE ATTACK AT DAWN. And we’ll use a key word of MIKE
(repeated here to match the text):
WEATTACKATDAWN
MIKEMIKEMIKEMI
Figure 2-3 Vigenère cipher table, or tabula recta
02-ch02.indd 83
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
84
Use the tabula recta to create the encrypted phrase. Here are the first five letters:
W
E
A
T
T
→
→
→
→
→
M
I
K
E
M
=
=
=
=
=
I
M
K
X
F
And so on . . .
Note that the second “T” encrypts to a different letter than the first “T” because of the
difference in the key word letter. Sweet! Here’s the fully encrypted phrase:
IMKXFIMOMBNEIV
If the recipient knows the key word, he or she can quickly decipher the code. Without
the key word, deciphering becomes more difficult (and relies on repetition analysis and
so forth).
Vigenère ciphers were popular for centuries. Examples of substitution ciphers can be
found in the standard word puzzle books you see on magazine racks in supermarkets and
bookstores.
In cryptography, confusion means that every character in a key is used to make the
ciphertext more random looking. Adding a key to change the ROT value of every
character adds confusion, making a Vigenère cipher much harder to crack than a ROT.
Vigenère ciphers have a weakness. Encrypt the plaintext WE ATTACK AT NOON
with the MIKE key, but each letter in the key only affects the plaintext character directly
underneath it. A better encryption should act in such a way that even the smallest change
in the key makes for very different ciphertext. This is called diffusion. The Vigenère
cipher lacks diffusion. Modern codes do not!
Transposition
A transposition cipher transposes or changes the order of characters in a message using
some predetermined method that both the sender and recipient know. The sender transposes the message and sends it. The recipient applies the same transposition method in
reverse, decrypting the message. There are a variety of different transposition methods,
including columnar, rail fence, and route ciphers. Current computer-based cryptography
uses both substitution and transposition together in wildly complex ways.
Cryptanalysis
For as long as people have encrypted and decrypted data (or messages or whatever), others have tried to crack those messages. Cryptanalysis is the study of breaking encryption,
the opposite of cryptography. You perform cryptanalysis on ciphertext data to reverse
it to a plaintext state when you do not have access to the methods used to encrypt the
data in the first place. Both security professionals and malicious actors perform cryptanalysis when attempting to decrypt ciphertext. There are hundreds, if not thousands, of
methods for performing cryptanalysis, but many of them depend upon having a piece of
plaintext that can be compared to its corresponding ciphertext, and vice versa, when you
have some knowledge of the methods used to encrypt and decrypt the text. The next few
modules discuss various methods of cryptanalysis.
02-ch02.indd 84
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-1: Cryptography Basics
85
Cryptography Components
Cryptography has several basic components that make the process work. These include
algorithms, keys, XOR functions, shifts, rounds, and cryptosystems. While this module
covers only the basics of these components, the remaining modules on cryptography
discuss in depth how these different components work together.
Algorithms and Keys
Algorithms and keys work together to create cryptographic methods used to encrypt and
decrypt messages. (They also can create cryptographic hash functions, used for digital
signatures and more, a subject covered in depth in Module 2-5.)
Algorithms are mathematical constructs that define how to transform plaintext into
ciphertext, as well as how to reverse that process during decryption. An individual algorithm
might be very simple or very complex. A very simple algorithm used in a substitution
cipher, for example, only requires shifting a letter several spaces to the right. Almost all
the real-world algorithms used in IT encryption/decryption are extraordinarily complex.
A single algorithm will contain a dizzying number of mathematical manipulations.
A key applies a variable used by the algorithm for the final cryptosystem (see the
upcoming section “Cryptosystems”). In a ROT13 cryptosystem, ROT is the algorithm—
to implement the encryption/decryption, shift letters of the alphabet. The 13 is the key
or cryptovariable that defines how many letters to shift.
Algorithms often don’t change. Keys change to keep bad actors guessing.
Keys are kept secret. Keys are typically not simplistic numbers. They are often complex,
lengthy strings of numbers or characters. A key might also be a password, passphrase,
personal identification number (PIN), code word, and so on. Algorithms and keys are
used to encrypt or decrypt text, as illustrated in Figure 2-4.
Figure 2-4
Algorithms and
keys
Key
Plaintext
Ciphertext
Algorithm
02-ch02.indd 85
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
86
Algorithms are generally well known and tested, giving cryptographers and security
professionals a level of confidence in their strength and ability to protect data. Kerckhoffs’
principle states that the algorithm should not be the secret part of the cryptographic
process or method used; the key should be kept secret, not the algorithm. Most security
professionals follow this principle.
NOTE Dutch cryptographer Auguste Kerckhoffs developed Kerckhoffs’
principle in the late 19th century. This stuff has been around for a while!
Key escrow grants knowledge or copies of keys to a third party. Businesses and other
organizations use key escrow to store keys securely in the event that they are lost, they
become corrupt, or an individual in the company with the only knowledge of the keys is
terminated or quits. Key escrow provides an exception to Kerckhoffs’ principle.
EXAM TIP An algorithm is a mathematical construct or rule that dictates
how data will be encrypted and decrypted. Algorithms are generally well
known and not kept secret. Secret algorithms are not needed. Keys are
the variables that algorithms use to ensure secrecy and randomness in the
cryptographic process. Keys should be kept secret.
Key length or key size refers to the number of bits in a key; this number implies
security—a hacker can readily break a short key, for example. With the unbelievable
growth in computing power today, on the other hand, a long key doesn’t necessarily
equate to better security. You’ll see various key lengths used in practical cryptography in
Modules 2-3 and 2-4.
The most secure keys would come from truly randomly generated numbers, numbers
that no one could predict. Such a number would have an entropy value of 1, meaning full
entropy or complete unpredictability. The reverse of this, with a completely deterministic
system, would have an entropy value of 0. The ROT13 system discussed earlier, for
example, with its predictable, fixed system, is such a deterministic system.
Computers are not random, though, but very much predictable. Many will use
software to generate pseudorandom numbers based on some mathematical system. Not
surprisingly, the type of software used in cryptography is called a cryptographically secure
pseudorandom number generator (CSPRNG), or simply cryptographic random number
generator (CRNG). The factor to keep in mind here is that the keys come from some
system and thus provide a place for threat actors to attack. We’ll see more of this in
Module 2-8, “Cryptographic Attacks.”
Block and Streaming Algorithms
Algorithms have a wide variety of characteristics that include mathematical foundation,
strength, and how they operate on plaintext. Modules 2-3 and 2-4 go into detail about
specific algorithms used in cipher suites (groups of algorithms used to secure network
connections), but for now, let’s discuss an important distinction within algorithms: block
and streaming.
02-ch02.indd 86
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-1: Cryptography Basics
87
Remember the distinction between codes and ciphers and how they work with entire
phrases (codes) or on individual characters (ciphers)? The algorithms discussed in this
book work on binary digits (bits) of plaintext, either individually or in specified groups.
A block algorithm operates on a predefined size of a group of bits, known as a block.
Different block algorithms use different block sizes, but typical sizes are 16-, 64-, and
128-bit blocks. Most of the algorithms discussed in this book are block algorithms.
Streaming algorithms operate on individual bits, one bit at a time. Streaming algorithms
don’t work on blocks of text; instead, they look at each individual bit and perform a
mathematical operation on that bit and then move on to the next bit. Streaming
algorithms tend to work much faster than block algorithms and are used in cryptographic
methods that support fast communications requirements, such as wireless technologies.
EXAM TIP Block algorithms work on predefined sizes of plaintext blocks,
while streaming algorithms work on single bits of plaintext. CompTIA refers
to streaming algorithms as stream algorithms.
Streaming algorithms have a problem. Since they only encrypt one bit at a time, they
need a piece of arbitrary value or string to get the encryption process started. This code,
called an initialization vector (IV), provides the necessary randomness for the algorithms.
There are also some interesting situations where IVs work in a block protocol as well.
See “DES” in Module 2-3 for more.
XOR Functions
Computing devices use binary data. Hard drives store Word documents in binary format. YouTube videos stream to a browser in binary format. Caesar ciphers use alphabets,
not bits, so they don’t readily apply to binary data. Computers need mathematical tools
to encrypt, to transpose and substitute ones and zeros. The most commonly used binary
math function used in cryptography is called eXclusive OR (XOR). XOR compares two
bits to determine difference.
With XOR, any bits that compare and are the same (two binary 0’s, for example) yield
a resultant bit of false (and produce a 0-bit as the output). Any bits that compare and
are different (a binary 1 and a binary 0) produce a true value, and an output bit of 1 is
generated. Figure 2-5 illustrates this process. (If you’ve taken the CompTIA Network+
exam, then you know about XOR comparison from subnetting. The 1’s in the subnet
mask compare to the IP address to differentiate the network ID from the host ID.)
NOTE XOR results might seem a little weird at first. Keep in mind that
XOR determines differences in compared data. A true result means that the
compared data is not the same. A false result means the data is the same.
Here’s an example of XOR in action, encrypting the randomly selected name, Mike, as
the data:
MIKE
02-ch02.indd 87
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
88
Keystream
Ciphertext
XOR
Plaintext Input
Plaintext
Keystream Value Text Value XOR’d Value
1
1
0
0
0
0
1
0
1
0
1
1
Figure 2-5 The XOR function in action
As a first step, convert these four letters into binary. For this example, we’ll use ASCII
code. ASCII converts every letter of the English alphabet in 8-bit binary values:
M
I
K
E
=
=
=
=
01001101
01001001
01001011
01000101
So, MIKE in binary is 01001101010010010100101101000101. This string of bits is
the plaintext.
The XOR function compares two binary values, right? To encrypt with XOR requires
another value to compare with the plaintext. To XOR encrypt this binary data, therefore,
we need a binary key. Let’s arbitrarily choose the ridiculously easy key of 0110. To
encrypt, repeatedly place the key under the plaintext, as follows:
01001101010010010100101101000101 (plaintext)
01100110011001100110011001100110 (key repeated)
Now go one bit at a time, using XOR to encrypt:
01001101010010010100101101000101
01100110011001100110011001100110
00101011001011110010110100100011 (ciphertext)
02-ch02.indd 88
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-1: Cryptography Basics
89
Congrats! You’ve just done binary encryption, in this example using XOR. Want to
decrypt the ciphertext? Just XOR it against the repeated key, as follows:
00101011001011110010110100100011 (ciphertext)
01100110011001100110011001100110 (key repeated)
01001101010010010100101101000101 (plaintext)
Using XOR solely, especially with such a short key, creates an easily cracked ciphertext.
Let’s make it harder by adding a shift.
Shifts
As the name implies, a shift in binary means moving the ciphertext left or right. Let’s shift
the ciphertext four digits to the left. Here’s the initial ciphertext:
00101011001011110010110100100011
Now, take the first four binary values on the far left and move them to the end on the
far right, as follows:
10110010111100101101001000110010
Adding a shift increases the complexity involved in decrypting. You need the key, plus
knowledge of the shift.
A simple shift makes better encryption, but a powerful computer can figure out this
shifty trick in milliseconds! Let’s enhance the encryption by doing the whole XOR/leftshift multiple times.
Rounds
Repeating the XOR/left-shift iteration more than once—such as five times—makes the
encryption harder to crack. It also means it will take longer to encrypt and decrypt,
because every encryption and decryption must repeat the iteration five times. (That’s the
price required for security.) Each of these XOR/left-shift iterations is called a round. Most
modern algorithms use multiple rounds, repeating the process several times to ensure
that the process is effective.
Cryptosystems
A cryptosystem includes everything in a cryptographic process, such as the algorithms,
keys, functions, methods, and techniques. The example used here—the Mike Meyers
Excellent Cryptosystem—includes four components:
•
•
•
•
02-ch02.indd 89
A four-bit key
An XOR
A four-digit left shift of the ciphertext
The XOR/left-shift iteration repeated in five rounds
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
90
Cryptosystems use algorithms and keys as basic components to stir up the binary data
and also implement them in ways that enable the encryption/decryption to be faster,
more efficient, or stronger.
Module 2-2: Cryptographic Methods
This module covers the following CompTIA Security+ objectives:
• 2.1 Explain the importance of security concepts in an enterprise environment
• 2.8 Summarize the basics of cryptographic concepts
You can differentiate cryptographic methods by the encryption method used, either
symmetric or asymmetric. These two types of cryptography focus more on the aspect
of the keys used than the algorithms, although each type has its own algorithms, as
discussed in later modules.
This module explores symmetric cryptography first, followed by asymmetric
cryptography. The third section in the module describes a unique type of cryptography
called hashing. The fourth section explores the relative limitations between symmetric
and asymmetric cryptographic systems. The fifth section puts symmetric cryptographic
systems, asymmetric cryptographic systems, and hashing together in hybrid cryptography.
The final section discusses what makes a perfect cryptosystem.
Symmetric Cryptography
Symmetric cryptography uses a single key that both encrypts and decrypts data. All parties
that require access to a piece of encrypted data know that key. If someone encrypts a file
or sends a secure message to another person, both persons must have the key used to
encrypt the data to decrypt it.
NOTE The industry uses the terms “symmetric cryptography” and
“symmetric-key cryptography” interchangeably. You’ll see that here and in
a similar form with “asymmetric cryptography” used interchangeably with
“asymmetric-key cryptography.”
Symmetric keys are sometimes called secret keys or session keys. Session keys, more
specifically, are created and used for a single communications session. They are not
reused after the communications session ends. If the parties want to communicate again
using symmetric cryptography, new session keys are generated by either party or by the
cryptosystem in use. Figure 2-6 shows how two parties use symmetric keys to exchange
sensitive data.
EXAM TIP Symmetric key cryptography uses a single key that both encrypts
and decrypts data.
02-ch02.indd 90
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-2: Cryptographic Methods
91
Figure 2-6
Symmetric keys
in use
Symmetric Key
Symmetric Key
Plaintext
Ciphertext
Symmetric Algorithm
Symmetric Algorithm
Plaintext
Symmetric key cryptography is both low latency (quick to respond) and good at
handling large amounts of data, such as storage or transmission of large files. Symmetric
keys require minimal computational overhead. Since only one key is involved, in
communications limited to only two parties, symmetric key cryptography works great.
Symmetric key cryptography has a couple of weaknesses in scaling and key exchange.
First, when multiple parties require access to the same encrypted data (such as a group
of friends or business associates), the exchange uses the same key. The more people
who have the key, the greater the chances that it will get inadvertently disclosed to an
unauthorized person. Second, getting the key into the hands of only the desired users
presents challenges.
Let’s look at an example of the scaling problem. User Meghan wants to communicate
with user Amy. Both need only one secret key. Adding more users, such as Tim, Bobby,
and Dawn, means each must have the same key to access the encrypted data.
What if, however, Meghan wants only Amy to view a piece of data, and she doesn’t
want Tim, Bobby, or Dawn to see it? Meghan must maintain separate symmetric keys
for each party with whom she wants to communicate. Among a few people this scenario
might be manageable. But imagine what happens if Meghan needs to maintain separate
keys for 100 people? Meghan has a lot of keys!
Worse yet, what if each of the 100 people required secure, unique communication
with every other user? How many total keys must be generated?
02-ch02.indd 91
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
92
Math comes to the rescue here. The total number of keys required is equal to the
number of people in the group, multiplied by that same number less 1, and then divided
by 2. Here’s the formula:
K = N × (N – 1)/2
• K is the total number of keys required.
• N is the number of people in the group.
So: K = 100 × (100 – 1)/2 = 4950. As you can see, with 100 users, a lot of keys must
be generated, issued, and exchanged among each pair of users in the group who must
securely communicate. Symmetric key cryptography does not scale very well in larger
groups or entities that must securely communicate with one another.
Key exchange refers to the process used to exchange keys between users who send
a message and those who receive it. Without the key, an authorized user or message
recipient can’t decrypt the message; the message will simply remain as ciphertext.
Since only one key is used in a symmetric communication, there must be a way to
deliver the key securely to the right users, with an assurance that it won’t be intercepted
and compromised. E-mail is usually not the most secure way, although sometimes people
send their secret keys via an e-mail message. Manual methods offer a little more security,
such as giving someone a key stored on a USB memory stick.
Most of the time, especially in large organizations or when communicating with
someone over greater distances, manual exchange isn’t practical. The problem with key
exchange, therefore, is getting the key to someone using a means that is considered
secure—so that the key will not be intercepted and used by an unauthorized person,
rendering the entire process useless. Symmetric key cryptography has problems with
secure key exchange.
Key exchange has two terms to describe the exchange methods:
• In-band
• Out-of-band
In-band key exchange involves using the same communications channel you are using
to send the message to send the key. This may not be the most secure way, since that
channel may be monitored by a malicious person.
Out-of-band key exchange involves the use of a separate, independent channel, such
as snail mail, USB stick, or even a different network connection, to send the key to the
authorized users. In smaller groups of users that reside near each other, key exchange
may not be much of a problem. In large organizations, however, in which users may
be geographically separated, key exchange can be an issue, especially when using only
symmetric key cryptography.
EXAM TIP Symmetric key cryptography excels in speed, efficiency, and the
ability to handle large amounts of data easily. The disadvantages primarily
involve scalability and key exchange.
02-ch02.indd 92
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-2: Cryptographic Methods
93
Asymmetric Cryptography
Asymmetric cryptography uses two separate keys—a key pair—for secure communication.
Data encrypted with one key requires the other key in the key pair for decryption.
In public key cryptography—the primary asymmetric implementation—these keys are
called a public key and a private key. Each user is issued or generates a key pair for his or
her own use. The user gives the public key to anyone, even posting it on the Internet.
The user keeps the private key, on the other hand, secret. With public key cryptography,
what one key encrypts, only the other key can decrypt, and vice versa. If the key in the
pair is used to encrypt a message, it cannot decrypt the same message. This makes the
cryptography process, particularly sending and receiving confidential messages, different
from the process used in symmetric key cryptography.
EXAM TIP Public key cryptography uses two mathematically related keys
in a pair, a public key and a private key. What one key encrypts, only the
other key in the pair may decrypt, and vice versa. In current systems,
the public key encrypts and the private key decrypts. (See Module 2-6
for the only use for reversing this process, validating a certificate by viewing
the digital signature.)
Jack and Jill want to communicate using public key cryptography. They need to follow
specific steps. First, each must generate a unique key pair. Second, each user makes his or
her public key readily available, such as posting it to the Internet.
Jack acquires Jill’s public key, encrypts a message using that key, and sends it to Jill. Jill
receives the message and decrypts it with her private key. Her private key is the only way
to decrypt a message encrypted with her public key.
For Jill to send a message to Jack securely, she reverses the process. She gets his public
key and uses it to encrypt the message. Upon receipt, Jack decrypts the message using his
private key. It’s an elegant system. Figures 2-7 and 2-8 demonstrate this process.
Asymmetric key cryptography has several advantages over symmetric key cryptography,
the major one being key exchange. The process eliminates key exchange issues, since no
Private Keys Kept Secret
Figure 2-7
Distribution
of public and
private keys
Jill’s Private Key
Jack’s Private Key
Jack’s Public Key
02-ch02.indd 93
Public Keys Exchanged
Jill’s Public Key
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
94
Figure 2-8
Using asymmetric key cryptography
Jill’s Public Key
Jack’s Public Key
Jack’s Private Key
Jill’s Private Key
Jack
Jill
one really has to exchange a key. Anyone can acquire the public key. The sending party
encrypts the message with the receiving person’s public key, and only the recipient who
possesses the private key can decrypt it.
Asymmetric key cryptography has a couple of disadvantages as well. First, it’s slower
than symmetric key cryptography and more computationally intensive to generate keys.
Second, it works well only with small amounts of data; it’s not suited for bulk data
encryption or transmission. Module 2-7 will discuss the primary uses of asymmetric
key cryptography, which involve public key infrastructure, or PKI, and uses of digital
certificates and signatures.
EXAM TIP Asymmetric key cryptography does great key exchange, but
features slower speed compared to symmetric key cryptography and
doesn’t handle large amounts of data very efficiently. Expect a question or
two on the CompTIA Security+ exam that asks you to contrast symmetric vs.
asymmetric encryption concepts and methods.
Hashing
Hashing provides integrity in the confidentiality, integrity, availability (CIA) triad of security by creating unique numbers for data and originators of information. Hashing
helps verify that data came from a specific source and that the data did not change from
what was sent.
In the hashing process, variable-length text, such as a document or spreadsheet, or
even a password, is exposed to a cryptographic algorithm that produces a cryptographic
sum, or hash (also sometimes called a message digest), of the document. This hash is only
a representation of the text; it is not the same thing as the text itself. Think of a hash as a
unique fingerprint that identifies a very specific piece of plaintext. The piece of plaintext
can be any length, and it generally does not matter how large the input plaintext is. The
resulting hash will always be a fixed-length piece of ciphertext, usually expressed in a
hexadecimal format. An example of a typical hash is shown in Figure 2-9.
02-ch02.indd 94
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-2: Cryptographic Methods
95
Figure 2-9 A hash value computed for a file
Unlike the encryption and decryption process, hashing was not designed to be
reversible. In other words, you don’t simply encrypt text with a hashing function with
the expectation of decrypting it later. Hashing is a one-way mathematical function whose
sole purpose is to produce the cryptographic sum of the input plaintext. Think of the
hashing process as sort of a measuring process for the data, with the resultant hash being
the actual measurement itself.
Although its purpose is not to decrypt text, the cryptographic sum produced by hashing
has some uses. First, hashing is used to provide for integrity of data. A hash is unique to a
particular piece of text. If one letter or word of the text is altered in any way, if even one
binary digit changes, the resulting hash will differ from the original hash. Hashing assures
the integrity of a piece of plaintext, since any changes would produce an easily detected
different sum. Figure 2-10 shows the hashing process.
Data transmitted over a network can be hashed before transmission and after
reception, and the two resulting hashes can be compared. If the hashes match, you have
unaltered data. If they differ, you can assume that the data has changed in some way
during transmission. We’ll discuss hashing in more depth in Module 2-5, with specific
examples of hashing methods.
NOTE The term “message” generically refers to any piece of variable-length
text, be it a password, text document, spreadsheet, picture file, or any other
type of data.
Figure 2-10
The hashing
process
Variable-Length Text
02-ch02.indd 95
Hashing Algorithm
Fixed-Length
Hash or Message Digest
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
96
Limitations in Symmetric vs. Asymmetric Cryptography
You need to have clarity on the relative strengths and weaknesses of symmetric and asymmetric cryptography in concept before you delve into the next two modules, which layer
on all the specific implementations of those systems. Limitations of systems include
•
•
•
•
•
•
•
•
•
•
Speed
Size
Weak keys
Time
Longevity
Predictability
Reuse
Entropy
Computational overheads
Resource vs. security constraints
The module has discussed several of these limitations already, notably speed, size, weak
keys, and computational overheads, noting that symmetric encryption is faster and has
lower computational overhead than asymmetric encryption and that small-sized keys are
weak keys. Size also relates to symmetric encryption handling larger files more efficiently
than asymmetric encryption. The other limitations require a little more discussion.
No encryption scheme is unbreakable. Developers instead strive to create an
encryption scheme that provides strong enough security to make it too difficult—in
terms of time and computational power needed—to crack. Because technology advances
rapidly increase the computing power available to hackers, on the other hand, the
relative security of any cryptosystem is a moving target. Folks at the National Institute
of Standards and Technology (NIST) keep track of these things, rating the longevity of
each active cryptosystem, as in how many years a cryptosystem remains secure in the
current computing environment. We’ll save the details for the next couple of modules,
but current cryptosystems are pretty awesome, and increasing the size of keys by just a
single bit makes a cryptosystem twice as hard to crack.
Modern cryptographic systems generate some kind of key to encrypt and decrypt
messages, but those keys usher in limitations and vulnerabilities. We discussed the entropy
level of pseudorandom numbers in the previous module, a measure of how predictable
those numbers can be. The four characters in the Mike Meyers Excellent Cryptosystem,
for example, have a very low entropy level, meaning a hacker could predict or guess
them pretty quickly. Other cryptosystems might seem to have much tougher keys,
such as 64-bit keys, but if 32 bits of the key have high predictability, the overall key is
vulnerable to attack. There’s also the reuse factor for keys. An 8-bit key, for example,
would generate numbers between 0 and 255, which means the numbers would quickly
be reused, making the 8-bit key weak. In contrast, a one-time password that’s never
reused? Almost uncrackable.
02-ch02.indd 96
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-2: Cryptographic Methods
97
Finally, resource vs. security constraints boils down to the relationship between how
much computing power goes into the system and the security of the system. Higher key
lengths offer more security but require more computing power to deal with. A millioncharacter one-use key would be utterly secure, but to generate that every time a message
gets encrypted/decrypted would kill modern systems. Every cryptosystem works on this
balancing principle, defining an inherent limitation.
Hybrid Cryptography
Many modern implementations of cryptography combine symmetric key and asymmetric key functions with hashing to create a highly secure mashup generically called hybrid
cryptography. Symmetric key cryptography handles large data well, but is weak at key
exchange. Asymmetric does key exchange well, but encrypts/decrypts more slowly than
symmetric. Both pretty much define confidentiality, but lack integrity. Hashing provides
the missing integrity aspect.
Here’s an example of hybrid key cryptography in action. A common method of key
exchange involves the creation of a “secret” between the two parties. This secret is then
run through a hash to create the one-and-only unique, cannot-be-reversed (supposedly)
key to be used on the symmetric side. Encrypt and send this hash via your asymmetric
system and voilà! You’ve securely exchanged a viable key for your symmetric side.
Nothing is perfect, of course, and there are many variables—using certificates to
identify each party, encryption streams within the exchange, and so on. But for the
purposes of this discussion, just remember hybrid encryption means to use combinations
of symmetric, asymmetric, and hashing to ensure better confidentiality and integrity.
EXAM TIP Hybrid cryptography leverages the advantages of both symmetric
and asymmetric key cryptography and eliminates their disadvantages.
The Perfect Cryptosystem
Cryptosystems should render unclear or unintelligible—obfuscate—any plaintext into
what anyone who can’t decrypt would see as nothing more than random data. This
obfuscation makes data secure. Security through obfuscation is what cryptography is
all about!
EXAM TIP Look for questions on the CompTIA Security+ exam that ask you
to recognize common use cases of cryptography supporting obfuscation.
You’ll see more use cases when we tackle specific cryptosystems in
Modules 2-3 and 2-4.
Proponents of security through obscurity argue that hiding how cryptosystems work
hardens those systems. If you invent a great cryptosystem, full of interesting math using
all kinds of substitutions, transpositions, and shifts over lots of rounds, and, in the
implementation, count on the fact that no one else knows the algorithm, you have the
perfect, uncrackable cryptosystem.
02-ch02.indd 97
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
98
NOTE Many IT security professionals argue that making a target appear
uninteresting adds a level of protection. This differently nuanced definition
of security through obscurity applies to situations such as a bank versus a
would-be robber. The robber might spend all of his time on the vault door,
so storing vital stuff in a simple locked janitor closet would work.
Security through obscurity misses one essential fact: every cryptosystem is crackable over
time. What seems impossible today becomes child’s play with tomorrow’s technologies.
Rather than hiding how cryptosystems work, modern cryptography makes algorithms
public. Making the systems available for everyone to attack exposes vulnerabilities and
weaknesses that can be addressed. Make the underlying algorithm unassailable, as
Kerckhoffs suggested, but keep the specific key used secret. Because of this attitude,
new, more resilient cryptosystems come out every few years. The creators of these
cryptosystems happily send them out for academic rigor, making sure the code has high
resiliency, that it holds up against cracking.
Finally, that elusive perfect cryptosystem should hold up over time. In some cases, keys
might be used for weeks, months, or even years perhaps. Forward secrecy means to protect
a cryptosystem from one key giving away some secret that makes it easier to crack. If an
algorithm achieves this, we call it perfect forward secrecy. There is no such thing as perfect
forward secrecy other than using a key only once and throwing it away—a one-time pad.
Module 2-3: Symmetric Cryptosystems
This module covers the following CompTIA Security+ objective:
• 2.8 Summarize the basics of cryptographic concepts
Developers have created and deployed numerous symmetric key cryptosystems over
the years to provide fast and secure data communications. This module explores the six
most common symmetric cryptosystems. Some of the data here is historical, but all of it
informs modern cryptosystems. Let’s look at these cryptosystems:
•
•
•
•
•
•
DES
3DES
AES
Blowfish
Twofish
RC4
DES
The Data Encryption Standard (DES) is an older, now obsolete standard for commercialgrade encryption within the United States. DES uses an algorithm called Lucifer, developed by IBM. In the DES implementation, Lucifer has a 64-bit key size. Eight of those
02-ch02.indd 98
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-3: Symmetric Cryptosystems
99
bits are used for computational overhead, so the true key size is only 56 bits. DES is a
symmetric block algorithm and uses 64-bit block sizes. Blocks that are less than 64 bits
in size are padded.
EXAM TIP The CompTIA Security+ exam will quiz you on block sizes, so make
notes throughout this module!
DES works in modes of operation, defined methods that determine how a plaintext
block is input and changed to produce ciphertext. Each of these modes processes input
blocks of text in different ways to encrypt the data. Modes also use certain mathematical
functions to transform the data for stronger encryption. DES uses 16 rounds for each
mode. So, for whichever mode is used, that process is repeated 16 times on a block of
plaintext to produce the output ciphertext.
DES uses five different block cipher modes of operation:
•
•
•
•
•
ECB
CBC
CFB
OFB
CTR
In the electronic code book (ECB) mode, plaintext blocks of 64 bits are manipulated
to produce ciphertext. With ECB mode, a given piece of plaintext will always produce
the same corresponding piece of ciphertext. Unfortunately, this makes ECB mode very
predictable, and it can easily be broken if an attacker has specific pieces of plaintext and
ciphertext to compare.
The cipher block chaining (CBC) mode produces much stronger encryption by
XORing the previous block to the block being encrypted. The very first block introduces
an initialization vector (IV) into the process. This ensures that every block of plaintext
input into the process produces a uniquely different piece of ciphertext. So even when the
same block of plaintext is input repeatedly, the resultant ciphertext will not be identical
to any previous outputs.
Cipher feedback (CFB) mode is like CBC except the plaintext is XORed into the IV
after each round.
Output feedback (OFB) mode is very similar to CFB mode, but instead of the previous
block’s ciphertext being the next block’s IV, it takes the result of the previous encryption
of the IV and key before the plaintext is XORed.
In DES, counter (CTR) mode uses a random 64-bit block as the first IV, then
increments a specified number or counter for every subsequent block of plaintext. CTR
mode offers the best performance.
Figure 2-11 illustrates how complex even the simple ECB mode is in DES; this
screenshot was taken from the freely available open-source CrypTool cryptography
learning program (www.cryptool.org).
02-ch02.indd 99
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
100
Permuted input
R2
…
…
2×32-bit
K[3]
…
L2
K[5]
L15
Overview
64-bit
Key K
IP
PC1
Permuted input
PC2(K)
16 DES rounds
16 subkeys
round 3–15
R15
f
Input block X
Pre-output
K[16]
IP–1
L16
R16
R16
L16
Pre-output
Output block Y
2×32-bit
64-bit
– The permuted input is split in two halves called L0 and R0, each 32-bit wide.
– For i =1, ..., 16 (16 DES rounds) let
Li = Ri–1 and Ri = Li–1
f (Ri–1, Ki)
– Ki is the subkey index and
means bitwise addition modulo 2 (also called) (XOR)
– In this schematic round 3 to 15 are abbreviated, but they run just the same.
Figure 2-11 Illustration of how DES ECB mode works (screenshot from the CrypTool cryptography
learning program)
EXAM TIP You need to know the different characteristics of DES for the
exam—16 rounds of encryption, 64-bit blocks, 56-bit keys, and five cipher
modes of operation.
Authenticated Encryption
The modes of operation used in symmetric cryptosystems can run in a couple of different
ways, as unauthenticated or authenticated. The strength of the encryption doesn’t change
either way, but unauthenticated modes offer a flaw when used in online applications.
An attacker can use an attack called a chosen ciphertext attack to intercept, modify, and,
eventually, decrypt messages.
You can implement cryptosystems that fix this flaw in a couple of ways, but such
implementations have traditionally been optional, presumably because the encryption
standards were good enough and faster without the added layers of protections. The
most common way today to secure modes of operation is to use authenticated encryption
(AE) modes that both encrypt and authenticate messages. (See the description of GCM
in the upcoming discussion of AES for a very commonly used AE mode.) Alternatively,
you could use the more complicated message authentication code to add more protection.
(See “HMAC” in Module 2-5 for more details.)
02-ch02.indd 100
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-3: Symmetric Cryptosystems
101
EXAM TIP Look for questions on the Security+ exam that ask about
unauthenticated vs. authenticated encryption modes of operation.
Bottom line? Unauthenticated = bad. Authenticated = good.
3DES
Triple DES (3DES or TDES) is a later iteration of DES designed to fix some of the
problems found in DES. It basically puts plaintext blocks through the same type of DES
encryption process, but it does so in three distinct iterations. Where DES uses single
56-bit keys, 3DES uses three 56-bit keys. Many IT folks—and the CompTIA Security+
exam—combine the three keys, so describe 3DES as having a 168-bit key.
3DES uses the same modes that DES uses; it just repeats them three times using three
different keys. Other than the number of iterations, there are no differences between the
two algorithms. This similarity causes 3DES to suffer from some of the same weaknesses
as DES. These weaknesses motivated the industry to replace 3DES with more modern
algorithms, particularly AES, discussed next.
EXAM TIP 3DES made up for some of DES’s weaknesses, but it did not
significantly change the algorithm. It puts plaintext through more iterations
than DES, but it still suffers from some of the same weaknesses.
AES
The Advanced Encryption Standard (AES) is a symmetric block cipher that can use block
sizes of 128 bits, with key sizes of 128, 192, and 256 bits. It uses 10 rounds for 128-bit
keys, 12 rounds for 192-bit keys, and 14 rounds for 256-bit keys. Like DES, AES can
use different modes to encrypt and decrypt data. Most attacks on AES are theoretical in
nature—referred to as side-channel attacks, which take advantage of ineffective implementations of the AES algorithm in the cryptosystem, versus the algorithm itself.
EXAM TIP AES is the de jure encryption standard for the US government and
the de facto standard for private and commercial organizations. It is a block
cipher that uses 128-bit block sizes, with 128-bit, 192-bit, and 256-bit keys. It
uses 10, 12, and 14 rounds, respectively, for these keys.
AES supports all the modes listed under DES, but tends to use the much lowerlatency mode called Galois/Counter Mode (GCM). GCM starts with CTR mode, but
adds a special data type known as a Galois field to add integrity. GCM is an authenticated
encryption mode of operation.
NOTE You’ll sometimes hear AES called by its original name, Rijndael,
derived from the last names of its two Belgian developers, Vincent Rijmen
and Joan Daemen.
02-ch02.indd 101
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
102
Blowfish
Blowfish is a block cipher that accepts 64-bit blocks and has a wide range of variable
key links, from 32 bits all the way up to 448 bits. It uses 16 rounds of encryption,
just as DES does. It is widely implemented in different software encryption solutions
and is considered a good choice for a strong encryption algorithm, since there have
been no more effective complete cryptanalysis solutions published to date. The designer,
Bruce Schneier, placed Blowfish in the public domain, free for all to use.
Twofish
Twofish is a symmetric block algorithm that uses a 128-bit block size. It can use 128-bit,
192-bit, or 256-bit keys. Like DES, it uses 16 rounds of encryption. It is viewed as a successor to Blowfish. Although there have been some published partial theoretical attacks
against Twofish, there are currently no publicly known attacks against it. Like Blowfish,
Twofish has been placed in the public domain, making it freely available for anyone
to use.
EXAM TIP Although AES is the official US standard, both Blowfish and
Twofish are exceptionally good encryption algorithms. Both use 64-bit
blocks, and both perform 16 rounds of encryption. Blowfish can use key
sizes from 32 to 448 bits, and Twofish uses key sizes of 128 bits, 192 bits,
and 256 bits. Longer keys provide better key strength.
RC4
Rivest Cipher 4 (RC4) is a streaming symmetric algorithm (unlike the block algorithms
discussed previously in the module). Because it is a streaming cipher, it uses only one
round of encryption. RC4 can use key sizes from 40 to 2048 bits in length. It’s a very fast
protocol, as all streaming ciphers are. RC4 uses a key stream (stream of pseudorandom
bits injected into the encryption process), which is then combined with plaintext using
the XOR function to encrypt them into ciphertext.
RC4 is most popularly used in wireless encryption with the older, now obsolete
and cryptographically broken Wired Equivalent Privacy (WEP) protocol. It can also
be found in versions of the Secure Sockets Layer (SSL) and Transport Layer Security
(TLS) protocols. RC4 has some documented weaknesses, which makes it unsuitable for
future implementations. Current software vendors advise against its use, and the Internet
Engineering Task Force’s (IETF) RFC 7465 eliminated its use in TLS.
EXAM TIP RC4 is likely the only example of a streaming cipher you will see
on the exam. All the other symmetric algorithms discussed throughout this
book are block ciphers.
Summary of Symmetric Algorithm Characteristics
Table 2-1 summarizes the characteristics of the different symmetric algorithms.
02-ch02.indd 102
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-4: Asymmetric Cryptosystems
103
Symmetric
Algorithm
Block or
Streaming
Block
Size
Rounds
Key Size
Notes
DES
Block
64-bit
16
56 bits (64 bits
total, with 8
bits for parity
overhead)
Uses five modes of
operation: ECB, CBC,
CFB, OFB, and CTR.
3DES
Block
64-bit
16
168 bits (three
56-bit keys)
Repeats DES process
three times.
AES
Block
128-bit
10, 12, and
14 (based
on key size)
128, 192, and
256 bits
Encryption standard
for the US government;
GCM mode is popular.
Blowfish
Block
64-bit
16
32–448 bits
Public domain algorithm.
Twofish
Block
128-bit
16
128, 192, and
256 bits
Public domain
algorithm.
RC4
Streaming
N/A
1
40–2048 bits
Used in WEP, SSL, and
TLS; largely deprecated
in current technologies.
Table 2-1 Summary of Symmetric Algorithms
Module 2-4: Asymmetric Cryptosystems
This module covers the following CompTIA Security+ objective:
• 2.8 Summarize the basics of cryptographic concepts
Developers have created and deployed numerous asymmetric key cryptosystems
over the years to provide robust key exchange and secure data communications. This
module explores the five most common asymmetric cryptosystems. Some of the data
here is historical, but all of it informs modern cryptosystems. Let’s look, in order, at these
cryptosystems:
•
•
•
•
•
RSA
Diffie-Hellman
PGP/GPG
ECC
ElGamal
RSA
The RSA cryptosystem enables you to create and use a public-private key pair. It generates keys based on the mathematical problem of the difficulty of factoring two very large
prime numbers (each generally up to several hundred digits in length). RSA uses one
round of encryption, and its typical key sizes range from 1024 to 4096 bits.
02-ch02.indd 103
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
104
Although RSA is considered very secure, keys of smaller sizes have been broken in
various published attacks. Still, these attacks are largely based upon faulty implementations
of the protocol, rather than the protocol itself.
RSA is pretty much the de facto asymmetric algorithm used in most public key
cryptography implementations today. Figure 2-12 demonstrates how RSA works, using
simple prime numbers and the CrypTool learning program.
NOTE RSA is the de facto asymmetric protocol used for generating publicprivate key pairs. The name RSA reflects the first letters of its creators,
Ron Rivest, Adi Shamir, and Leonard Adleman.
Figure 2-12 Simple demonstration of the RSA algorithm (screenshot from the CrypTool cryptography learning program)
02-ch02.indd 104
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-4: Asymmetric Cryptosystems
105
Diffie-Hellman
The Diffie-Hellman (DH) protocols enable you to use asymmetric key exchange to give
both sides of a conversation a single symmetric key. This means that two parties can
use a nonsecure channel to establish a secure communications session. This secure key
exchange works even when the parties have no previous relationship.
DH offers a much faster connection compared to RSA. RSA provides great security,
but requires a lot of computation and complex key exchange procedures. If you prefer
speed over security, DH is the asymmetric algorithm for you!
DH uses discrete logarithms, modulo arithmetic, and prime numbers to generate key
pairs randomly that derive a symmetric key without ever sending any private information.
Part of the DH key exchange process requires each side to create a temporary key, called
an ephemeral key, which is used in only one exchange and then discarded. This ephemeral
key usage is called Diffie-Hellman Ephemeral (DHE).
DH relies on pseudorandom number generation to create the ephemeral keys. In most
cases, this relies on pseudorandom number code that uses aspects of the underlying system
like dates, MAC address of the network interface card (NIC), and other seemingly random
information to make these values. Unfortunately, dates and MAC addresses really aren’t
random; in theory, a malicious actor can use this against you. To fight against this, several
alternatives exist.
One alternative is to use a larger modulus: an important value that helps DH derive
keys. A preset modulus of a specific size is called a DH group. As long as both sides agree
to a group size, we can improve DH while still providing backward support for systems
that only can derive smaller keys. Here are a few examples of DH groups:
•
•
•
•
Group 1
Group 2
Group 5
Group 14
768-bit modulus
1024-bit modulus
1536-bit modulus
2048-bit modulus
Another alternative is to skip ephemeral keys with DH and use something more
resilient, such as Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE). ECDHE skips
pseudorandom number generation and instead uses ephemeral keys calculated using
elliptic-curve cryptography, discussed later in this module. ECDHE is negotiated by
groups as well:
• Group 19 25-bit elliptic curve
• Group 20 384-bit elliptic curve
• Group 21 521-bit elliptic curve
NOTE Many applications (such as secure Web sites) use RSA for
authentication and DH for key exchange.
02-ch02.indd 105
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
106
PGP/GPG
Pretty Good Privacy (PGP) is a cryptography application and protocol suite used in asymmetric cryptography. PGP can use both asymmetric and symmetric keys for a wide variety of operations, including bulk encryption, data at rest encryption (including both file
and full disk encryption), key-pair generation, and key exchange. Unlike other public
key cryptography schemes, PGP uses a web-of-trust rather than a public key infrastructure. (See Module 2-7 for details.) Although PGP is considered a commercialized, proprietary version, it has an open-source equivalent, Gnu Privacy Guard (GPG). The various versions of PGP and GPG comply with the OpenPGP standard, an IETF standard
published as RFC 4880.
EXAM TIP With PGP/GPG, think e-mail here. That’s where you’ll see these
standards in play.
ECC
Elliptic-curve cryptography (ECC) is an asymmetric method of cryptography based on
problems involving the algebraic structure of elliptic curves over finite fields. (Say that
three times fast!) ECC has many uses, including variations that apply both to encryption
and digital signatures.
ECC has special uses involving mobile devices. It requires low computational power
and memory usage, so ECC has been widely implemented in smartphones and other
low-power mobile devices.
EXAM TIP Expect a question on common use cases involving low-power
devices, such as smartphones, on the exam. ECC provides the answer.
ECC typically uses much smaller key sizes than other asymmetric algorithms, but
these smaller-sized ECC keys are also harder to break. The largest known ECC key
broken to date is only a 112-bit key, for example, compared to a 768-bit key size that has
been broken with RSA.
ElGamal
ElGamal is an asymmetric algorithm that can be used for both digital signatures and
general encryption. (See Module 2-6 for the details on digital signatures.) Taher Elgamal
based his eponymous algorithm partially on Diffie-Hellman key exchange algorithms.
ElGamal uses mathematical problems related to computing discrete logarithms.
You’ll see ElGamal used in hybrid cryptosystems, where ElGamal encrypts the
comparatively tiny symmetric key and some other (faster) scheme encrypts the message.
It’s also widely used in open standards and cryptosystems, including PGP and GPG.
02-ch02.indd 106
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-5: Hashing Algorithms
107
The US government’s Digital Signature Algorithm (DSA) is based upon the ElGamal
signature scheme.
Module 2-5: Hashing Algorithms
This module covers the following CompTIA Security+ objectives:
• 2.1 Explain the importance of security concepts in an enterprise environment
• 2.8 Summarize the basics of cryptographic concepts
IT professionals use several hashing algorithms to ensure the integrity of data and
source. This module starts with a brief discussion of how hashing works—a rehash of
the introduction in Module 2-2, so to speak. [Insert groan here at bad pun.] Then we’ll
explore the four most common hashing algorithms:
•
•
•
•
MD5
SHA
RIPEMD
HMAC
Hashing Process
Encryption necessarily implies decryption. Plaintext transformed through encryption
into an unreadable state can be decrypted and returned to a plaintext state.
Hashing does not encrypt text; it generates a representation of that text, which is the
hash or message digest. A hash is not the plaintext itself, but rather a unique identifier for
the text, like a fingerprint. Note that hashing does not use keys at all, only algorithms,
also making it less like encryption and decryption.
Theoretically, an identical piece of plaintext will always produce the same hash value,
assuming that you use the same hashing algorithm. Likewise, no two different pieces
of plaintext should ever produce the same hash, given the same algorithm, although it
happens.
These accidentally matching hashes, called collisions, can enable a miscreant in theory
to generate a piece of data with the right hash to fool others as to its integrity. Figure 2-13
illustrates the collision process a bit more clearly, where two differing texts run through
the hashing algorithm, but result in identical hashes.
Several older hashing algorithms can produce collisions. As this module addresses the
different hashing algorithms, we’ll point out the older, collision-prone algorithms.
NOTE Hashing is not the same thing as encryption and decryption. Hashes
cannot be reversed or decrypted; they can only be compared to see if they
match.
02-ch02.indd 107
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
108
AC 68 53 0B E5 FF 26 34 E9
F2 7C E8 1F 62 4D 5A 9F C1
E7 89 14 05 F0 7A AC 0D 69
A9 7A A2 6C 0F
Variable-Length Text #1
Hashing Algorithm
Fixed-Length
Hash or Message Digest #1
AC 68 53 0B E5 FF 26 34 E9
F2 7C E8 1F 62 4D 5A 9F C1
E7 89 14 05 F0 7A AC 0D 69
A9 7A A2 6C 0F
Variable-Length Text #2
Hashing Algorithm
Fixed-Length
Hash or Message Digest #2
Figure 2-13 The hashing process and collisions
Hashing supports confidentiality (in the case of hashing passwords, for instance)
and integrity. For confidentiality, you can hash a password (run it through the hashing
algorithm) and send the resulting hash over an untrusted network for authentication.
You would not need to transmit the actual password (Figure 2-14).
When the authenticating server receives the hash, it takes the password hash it has
stored in the credentials database and compares it to the hash it received. If they match, the
server knows that the user also knew the correct password, and it allows authentication. If
the hashes don’t match, the server refuses authentication, because the user obviously did
not know the correct password, which in turn did not generate the correct hash. Hashing
thus supports authentication as well as confidentiality and integrity.
EXAM TIP Expect questions on common use cases for supporting
authentication, confidentiality, or integrity. Hashing provides all three.
Some systems encrypt password hashes during transmission using symmetric key
cryptography and then decrypt them on the receiving end to protect the hash during
transmission. This action blocks an obvious attack option.
Figure 2-14
Sending a
password’s hash
instead of the
password itself
02-ch02.indd 108
I can’t read the
password if it’s
sent as a hash!
1ad487ce2354b5ff69211be87e
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-5: Hashing Algorithms
109
An attacker can intercept a password hash as it travels over a network. The attacker
won’t have the actual password at that point, of course, and can’t reverse the hash to get it,
but she can use various methods to perform the same type of hash comparisons against a
list of potential passwords and generate an identical hash, letting her discover the original
password. An encrypted hash blunts that capability.
Because identical pieces of plaintext always produce the same hash value, using the
same hashing algorithm on both enables you to tell if a piece of text has changed, even by
one binary digit (bit). If even a single 1 or 0 bit changes in the text, the hash produced
will differ from the hash of the original piece of text. In this way, comparing hashes of
two supposedly identical pieces of plaintext can verify the integrity of the original. If the
hashes match when compared, the samples of text are identical and have not been altered.
If the hashes differ when compared, however, then a change has occurred between the
original text and what was received, violating integrity.
EXAM TIP
Hashing can be used to assure both confidentiality and integrity.
MD5
The Message Digest 5 (MD5) algorithm generates a 128-bit hash, 32 hexadecimal characters long, and it replaced an earlier version of the MD series, MD4. MD5 has weaknesses,
however, and researchers have demonstrated collisions (and thus vulnerability to collision
attacks) many times, even using off-the-shelf consumer laptops. Despite deprecation by
security experts—as in, “don’t use this broken thing!”—many low-security situations still
use it, even in 2020. MD5 is also used as part of other cryptographic methods, including
the Extensible Authentication Protocol (EAP), as part of its EAP-MD5 implementation.
EXAM TIP MD5 produces a 128-bit message digest, consisting of 32
hexadecimal characters, regardless of the length of the input text.
SHA
The US National Security Agency (NSA) developed the Secure Hash Algorithm (SHA)
standards to provide cryptographic hash functions, starting in 1993. Since the initial
release—SHA-0, SHA has seen several iterations, including SHA-1, SHA-2, and SHA-3.
The 160-bit SHA-1 algorithm, originally designed as the standardized Digital
Signature Algorithm for the United States, produces 40-character hashes. SHA-1 was
a contemporary of MD5 and had similar cryptographic flaws. SHA-2 is made up of
two separate algorithms, SHA-256 and SHA-512, but each has minor versions that
include SHA-224 and SHA-384. SHA-3 uses a hash function called Keccak that makes
it different internally than SHA-1 and SHA-2. It has the same hash lengths as the
SHA-2 versions.
02-ch02.indd 109
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
110
EXAM TIP SHA-1 and SHA-2 have been replaced by the latest iteration of
SHA, known as SHA-3, which is an implementation of the Keccak hashing
function. Also, you might see SHA on the exam as Secure Hashing Algorithm,
so don’t get confused. The exam means SHA.
RIPEMD
RACE Integrity Primitives Evaluation Message Digest (RIPEMD) is a hashing algorithm
not often seen in practical implementation. It was developed in an open-standard type
of environment, as opposed to SHA. RIPEMD comes in 128-, 160-, 256-, and 320-bit
versions. Again, it is not in widespread use, despite the relatively stable and secure implementation of the RIPEMD-160 iteration, which is the most common.
HMAC
Hash-based Message Authentication Code (HMAC) is used in conjunction with a symmetric key both to authenticate and verify the integrity of the message. HMAC can
use either MD5 or SHA series of hashing algorithms (and noted as HMAC-MD5 or
HMAC-SHA1/2/3, respectively). The HMAC process produces a hash value, the message
authentication code (MAC), whose length and strength correspond to whichever hashing
algorithm was used to create it. Here’s how it works.
You already know that a given piece of plaintext or message produces the same hash
every time, as long as you use the same hashing algorithm. This can be used to verify
integrity; however, anyone can send a message that can be verified in terms of integrity,
if the hashes match. But you cannot verify the authenticity of the message—that is, who
sent it—and you cannot verify who will be able to receive it.
HMAC uses a secret (symmetric) key with the hashing process, so that a given message
produces a unique hash using that symmetric key. If someone does not have the key, she
cannot reproduce the hash of the message, so that neither integrity nor authenticity can
be verified. Only someone who has the secret key can successfully produce the same hash.
This verifies not only integrity but also authenticity, since only the person having the
secret key could have produced that unique hash and sent the message.
EXAM TIP HMAC can use hashing functions and symmetric keys to produce
a message authentication code (MAC), used to ensure both integrity and
authenticity of a message.
Module 2-6: Digital Signatures and Certificates
This module covers the following CompTIA Security+ objectives:
• 2.8 Summarize the basics of cryptographic concepts
• 3.9 Given a scenario, implement public key infrastructure
02-ch02.indd 110
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-6: Digital Signatures and Certificates
111
Figure 2-15
Secure Web site,
Hello!
Hello, www.totalsem.com!
Hello!
I want this to be Secure HTTP.
OK! Here’s my public key:
1ab4e88d923cc13d4aa….
Asymmetric encryption relies heavily on trust. When you access a secure Web site to
make a purchase, for example, you need to trust in the security of the connection between
the Web server and your client before putting in a credit card number. Two related
cryptographic functions create this security, digital signatures and digital certificates.
Digital Signatures
Secure Web sites use RSA keys for asymmetric encryption. Every connection to a secure
Web site requires a key exchange. At the very least, the Web server provides its public
key to the client so the client can encrypt messages securely. In some cases, the client will
share its public key (Figure 2-15).
The challenge to key exchange isn’t handing out the keys. The Web server and client
can automatically share their public keys the moment they connect. The problem comes
with the key itself. Imagine a scenario where a third party intercepts the data and tries
to send a bogus public key to the client (Figure 2-16). Digital signatures address this
scenario.
To send a message in a typical asymmetric encryption cryptosystem, the sender
encrypts using the recipient’s public key; the recipient decrypts using her private key. The
reverse, however, can also work. The sender can encrypt with his private key; the only
key that would enable decryption is his public key. This concept makes digital signatures
possible. Here’s the full process of creating a digital signature.
Figure 2-16
Third parties can
be evil!
OK! Here’s my (evil) public key:
9c5bba277d1aa2003d4a8c….
www.totalscam.com
02-ch02.indd 111
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
112
To prove that the public key your client receives came from the proper server, the Web
server adds a digital signature. The Web server takes the current Web page and does the
following:
1. Encrypts the page with the client’s public key.
2. Hashes the page.
3. Encrypts the hash with the server’s private key.
4. Sends the page, the public key, and the hash to the client.
Now it’s the client’s turn:
1. The client decrypts the hash using the server’s public key to verify it really came
from the server. (Only the server’s public key can decrypt something encrypted
with the server’s private key.)
2. The client decrypts the message with the client’s private key.
Figure 2-17 helps describe this process.
The hash value encrypted with the private key and that accompanies the public key
is a digital signature.
NOTE Digital signatures are one of the very few places where private keys
are used to encrypt. Normally, public keys encrypt and private keys decrypt.
Digital signatures alone work great to verify the identity of a source. Successfully
decrypting the message using the source’s public key means the message could only have
come from that source.
Figure 2-17
Proof that the
message came
from the owner
of the private key
I’ll take the current page you’re
looking at…
Encrypt it with my PRIVATE key
and HASH the result…
Encrypt the HASH with my
private key
Then send you the page as well
as my public key and the HASH
If you can decrypt it with the
public key and generate the
same HASH
You’ll know that only I, the
holder of the private key, sent it.
02-ch02.indd 112
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-6: Digital Signatures and Certificates
113
Who do I trust?
NO! NO! HERE is the
totalsem.com public
key, digitally signed.
Here’s the
totalsem.com public
key, digitally signed.
Figure 2-18 Who can you trust?
Digital Certificates
A digital signature is only good for verifying that the entity who sent you a public key is
legitimately the one who possesses the corresponding private key. But how do you know
that public key really came from the Web site, or the owner of that e-mail address, or the
VPN service, or whatever other thing you want to connect to that you need to know you
can trust? You need something more than a digital signature (Figure 2-18).
You might at this point say, “I know I’m on the right Web site because it says so in
the address bar” or, “I know this e-mail came from mike@totalsem.com, because that’s
who the e-mail said it came from.” This is not acceptable. First, it’s easy to make another
Web site look just like one you know (Figure 2-19). Equally, it’s easy to make another
service—e-mail is a great example—look like it came from a known source. This process
But the Web site said
www.totalsem.com!
Oh, really?
Figure 2-19 It’s easy to deceive.
02-ch02.indd 113
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
114
Figure 2-20
A certificate
should have
a third-party
signature.
And I, Trusted Third
Party, add my digital
signature as well,
signifying this is
www.totalsem.com!
Here’s the
totalsem.com public
key, digitally signed.
Digital
Certificate
is called spoofing. Simply relying on the fact that something looks like it’s a legitimate
source isn’t good enough. (And how closely do most people look at URLs anyway?)
Worse, a fiend can use Unicode to whack out URLs to the point where you could
swear you know where you are, but you are at a completely different URL.
To create trust in this scenario requires a digital certificate, an electronic file specifically
formatted using industry standards that contains identifying information. That’s a
mouthful!
Think of a digital certificate like a Word document with a bunch of spaces to fill in
with specific information. There are different digital certificate “forms” for different jobs
(e-mail, Web servers, code signing, and many more). Any digital certificate will store a
public key with a digital signature, personal information about the resource (URL, e-mail
address, phone numbers, whatever), and a second digital signature from a third party you
both trust (Figure 2-20).
The rest of this module concentrates on the types of digital certificates and their
formats and tours a typical certificate on a PC.
NOTE
Module 2-7 goes into depth on maintaining digital certificates.
Touring a Certificate
Let’s look at a digital certificate. In Windows, you can see your certificates by opening
any Web browser’s Settings and locating a certificates option. In Microsoft Edge, for
example, click the icon with three horizontal dots in the upper-right corner and choose
Settings. Select Privacy and Services, then click the Manage Certificates button to open
the Certificates dialog box (Figure 2-21).
02-ch02.indd 114
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-6: Digital Signatures and Certificates
115
Figure 2-21 Getting to the Certificates dialog box in Microsoft Edge
NOTE All Web browsers have a certificate location. Take your time,
you’ll find it.
The Certificates dialog box features several tabs. For this module, pick any tab, select
any certificate on that tab, and then click View (or whatever your system says) to see the
certificate in detail. You should see something like Figure 2-22.
Now click the Details tab at the top. On the Show pull-down menu, select Version 1
Fields Only to see something like Figure 2-23. Click each field as you read through the
following descriptions to see what each value stores.
• Version The common certificate format is X.509. It started with version 1. Modern
certificates are version 3. This field shows the X.509 version of this certificate.
• Serial number A unique number given to this certificate by the issuing body.
• Signature algorithm The type of encryption and hash used by this certificate.
• Signature hash algorithm Same as signature algorithm. (It’s a Microsoft thing.)
• Issuer X.509 formatted name of issuer of this certificate. (See “Certificate
Attributes” next.)
• Valid from Time the certificate was granted.
• Valid to Time the certificate expires.
• Subject To what this certificate is issued in X.509 format.
• Public key The public key for the certificate.
02-ch02.indd 115
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
116
Figure 2-22 Certificate view in Windows
There’s a lot more to see if you change Show: to <ALL>, but there are two fields that
warrant note here:
• Thumbprint The certificate’s digital signature.
• Authority Key Identifier The third party’s digital signature.
02-ch02.indd 116
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-6: Digital Signatures and Certificates
117
Figure 2-23 Typical certificate details in Windows
Certificate Attributes
Digging deeper into certificates reveals a lot more information, specifically certificate attributes that vary according to the purpose of the certificate. Figure 2-24 shows a local Trusted
Root Certification Authority certificate from COMODO ECC Certification Authority.
02-ch02.indd 117
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
118
Figure 2-24
Local Trusted
Root CA
certificate
Note the Issuer details in the bottom pane:
•
•
•
•
•
CN The canonical name, the full name of the issuing body
O The organization, COMODO CA Limited
L The locality, Salford
S The state or province, Greater Manchester
C The country or origin, Great Britain
Contrast the certificate shown in Figure 2-24 with the certificate shown in Figure 2-25,
which comes from the Chrome Web browser connected to https://www.amazon.com.
The Details tab is selected again, but the Subject is chosen in the top pane rather than
Issuer. As you might expect, it reveals the details about Amazon, including the CN, O,
L, S, and C; Amazon’s headquarters are in Seattle, Washington, United States of America.
02-ch02.indd 118
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-6: Digital Signatures and Certificates
119
Figure 2-25
Web certificate
attribute details
Getting a Certificate
Virtually all cryptosystems that use asymmetric cryptography require a certificate. Probably the best example is a secure Web site. Let’s say you want to set up a secure (HTTPS)
Web server. You can spin up your own server and load some Web server software on your
own, but if you want to use HTTPS, you’ll need a certificate.
To get a certificate, submit information to a certificate issuing organization, called
a certificate authority (CA). There are a handful of these organizations, though three
dominate the market: IdenTrust, DigiCert, and Sectigo (formerly Comodo). Before you
give a certificate issuing organization your credit card details, you need to generate a
certificate signing request (CSR) on your Web server, as described in the “Certificate Life
Cycle” section of Module 2-7. Figure 2-26 shows part of this process in Microsoft Internet
Information Services (IIS).
Once you create the CSR, cut and paste the information into an online form.
Depending on the certificate, you’ll get your certificate sent via e-mail or through a Web
interface. In most cases, the certificate installs itself. You can import if necessary.
02-ch02.indd 119
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
120
Figure 2-26 Creating a CSR in IIS
NOTE You don’t have to pay for third parties to sign certificates (e.g., Let’s
Encrypt, https://letsencrypt.org, is a popular free certificate issuer, backed
by IdenTrust). Self-signed certificates work just fine within your network for
services that require certificates—applications and such on the corporate
intranet, for example. There’s no reason to pay for certificates for internal use.
Make certain those self-signed or untrusted-signed certificates never see the
rest of the world.
Module 2-7: Public Key Infrastructure
This module covers the following CompTIA Security+ objectives:
• 2.8 Summarize the basics of cryptographic concepts
• 3.9 Given a scenario, implement public key infrastructure
Public key infrastructure (PKI) implementations combine symmetric and asymmetric
key cryptographic methods with hashing to create robust and secure systems. This
module puts together all the information in Modules 2-1 through 2-6 of this chapter to
describe these systems.
The module starts with keys, algorithms, and standards. The second section explores
PKI services. The third section discusses digital certificates and PKI structure. We’ll look
at key safety next and then finish with trust models.
02-ch02.indd 120
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-7: Public Key Infrastructure
121
PKI puts cryptography into practical application. IT professionals use PKI to
implement strong authentication and encryption schemes to protect data confidentiality
and integrity and to ensure non-repudiation. Let’s get started.
Keys, Algorithms, and Standards
Hybrid cryptographic systems incorporate the advantages of asymmetric and symmetric algorithms, while at the same time making up for the disadvantages each has. Symmetric algorithms are fast, and they can encrypt large amounts of data efficiently.
Symmetric cryptography suffers from key exchange and scalability problems. Asymmetric cryptography, on the other hand, has no issues with key exchange. It’s also very
scalable, since it only requires that each individual have a public and private key pair.
Unfortunately, asymmetric cryptography doesn’t do very well with speed or encrypting
large amounts of data.
PKI takes advantage of these different positive aspects of both asymmetric and
symmetric key cryptography and uses each, along with hashing algorithms, for different
aspects of identification, authentication, encryption, and non-repudiation. Let’s look
now at keys and algorithms that relate to PKI.
EXAM TIP PKI is composed of several components and technologies, as well
as the infrastructure and processes used to manage certificates.
Keys
Asymmetric cryptographic systems use a public and private key pair. Both keys are mathematically related, but you cannot use one to derive the other. The keys are generated
using various mathematical algorithms. What one key in a pair encrypts, only the other
key in the same pair can decrypt. Public keys are given to anyone who wants them,
and private keys are kept confidential, protected by the individuals who own them. To
exchange messages between two parties, each must have a public and private key pair.
Each party must also possess the public key of the other party.
When one person wants to send an encrypted message to the other, the sender
encrypts the message using the receiver’s public key. Then, the receiver decrypts it using
the receiver’s private key, since that’s the only key in the pair that can decrypt what the
public key encrypts. This is demonstrated in Figure 2-27.
Figure 2-27
Communicating
using public and
private keys
02-ch02.indd 121
Meghan’s Public Key
Amy’s Public Key
Amy’s Private Key
Meghan’s Private Key
Amy
Meghan
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
122
Symmetric cryptography, on the other hand, uses only one key. Both parties must
possess that same key to encrypt and decrypt data. Getting the same key to each party
securely poses the major obstacle in symmetric cryptography.
In a hybrid cryptographic system, party A generates a symmetric key—often called
a session key—and encrypts that key using party B’s public key, and then sends the
encrypted key to party B. Party B, the receiving party, decrypts the encrypted session
key with party B’s private key. After that, faster communications can take place using the
symmetric session key.
Using this hybrid approach with asymmetric and symmetric keys ensures
confidentiality, since both data and the session keys are encrypted. It doesn’t, however,
ensure authenticity or integrity of the message, nor does it provide for non-repudiation.
Adding hashing algorithms into the process provides those services; we’ll discuss those
momentarily.
EXAM TIP The CompTIA Security+ SY0-601 objectives use specific wording
on this topic. So a common use case for cryptography is supporting
confidentiality. The hybrid cryptographic system clearly accomplishes
this goal.
Algorithms
Previous modules discussed the algorithms, both symmetric and asymmetric, employed
in PKI. These include symmetric algorithms such as AES and asymmetric algorithms
such as RSA for key generation and Diffie-Hellman for key exchange. PKI also uses hashing algorithms, such as MD5, RIPEMD, and the SHA family of algorithms. Let’s look at
specific PKI standards to see how they put the algorithms together.
PKI Standards
PKI implementations use one of several standards. The primary standard is X.509; other
standards apply to specific industries.
The ITU Telecommunication Standardization Sector (ITU-T) X.509 standard
describes how digital certificates are constructed, including what information they will
contain, their uses, and their formatting. The X.509 standard also describes processes
involved with issuing certificates, as well as other processes in the certificate life cycle.
NOTE The initialism “ITU” has changed meaning over the years, from
International Telegraph Union, formed in 1865, to the International
Telecommunication Union, created in 1932. ITU-T morphed from the Comité
consultatif international téléphonique et télégraphique (CCITT), formed in
1956, to the current initialism, created in 1993. (And none of this brief history
lesson shows up on any CompTIA exam.)
Other somewhat proprietary standards that you’ll encounter in PKI come from
different industry segments, but usually comply with open standards. One set of these
standards is the Public Key Cryptography Standards (PKCS), developed by RSA Security.
02-ch02.indd 122
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-7: Public Key Infrastructure
123
The PKCS describe certificate construction and use. Cryptosystems use a PKCS #7 file
digital certificate, for example, to sign or encrypt messages, such as e-mail. A PKCS #12
file contains public and private keys and is encrypted for secure key storage.
Other vendors, such as Microsoft and Apple, for example, also have proprietary ways
of issuing and managing certificates throughout the certificates’ life cycle, although these
standards usually comply with the X.509 standards.
EXAM TIP The primary standard used in PKI is the X.509 standard, which
describes the certificate format and how it is used.
PKI Services
In addition to confidentiality, PKI provides for secure key exchange, message authentication and integrity, and non-repudiation. The next few sections discuss how PKI provides
these different services. We’ll also revisit digital signatures.
Key Generation and Exchange
PKI has technologies and methods built in for several different processes. Among those
are key generation and key exchange. Key generation is the process of creating a public and
private key pair, which is then issued to an individual, based upon his or her confirmed
identity. RSA is the most popular key generation algorithm, although there are others.
Key exchange is a process, typically using Diffie-Hellman algorithms, that assists in the
creation and secure exchange of symmetric keys, typically session keys used for one communications session only. After keys are generated, public and private keys are used to
encrypt and decrypt session keys once they are transmitted and received, respectively, by
both parties.
Non-repudiation
Non-repudiation means that a person cannot deny that he or she took a specific action.
The person’s identity has been positively verified, and any actions that person takes are
traced back to that identity.
PKI assures non-repudiation by using public and private keys. The certificate authority
must positively identify and authenticate an individual before the CA issues a key pair.
After issuing that key pair, the CA digitally signs the individual’s certificate using the
CA’s private key. This signing confirms the CA has validated the user’s identity. Finally,
because only the issuing organization can sign with its private key, this verifies that the
certificate came from a valid issuing organization.
Once Jack gets his key pair from the certificate authority, any message he signs using
his private key verifies he sent the message. This assumes that Jack did the right thing and
protected his private key, of course. If a message is signed using a key pair owned by Jack,
in other words, he cannot deny that he sent the message. This assures non-repudiation.
EXAM TIP The CompTIA Security+ SY0-601 objectives use specific wording
on this topic. So a common use case for cryptography is supporting nonrepudiation. PKI clearly accomplishes this goal.
02-ch02.indd 123
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
124
Message Integrity
PKI can provide message integrity through hashing algorithms. Using hashing algorithms
such as SHA-512, for instance, you can hash messages to generate unique fingerprints,
or hashes, that can be checked both before transmission and after the message is received.
If the hashes compare and match, you can be assured of data integrity. If they compare
and do not match, you know that something (or someone) has changed the integrity of
the message. Message integrity can be altered accidentally through simple “bit-flipping”
during bad transmission conditions or intentionally by some malicious actor.
Message integrity is assured by also incorporating hashing algorithms into the PKI
process. Although there are several possible ways to do this, the simplest way is to hash the
message and encrypt both the message and the hash and send them on to the recipient,
so that when the recipient gets the message, he can simply decrypt the message with his
private key and then rehash the message to generate a hash that he can compare to the hash
he received. The recipient doesn’t do this manually; the automatic PKI processes take care
of these steps at the application level.
EXAM TIP The CompTIA Security+ SY0-601 objectives use specific wording
on this topic. So a common use case for cryptography is supporting integrity.
PKI clearly accomplishes this goal.
Digital Signatures
PKI systems incorporate digital signatures to authenticate the source of a message.
Encrypting a message with a private key assures the recipient of the source when the corresponding public key decrypts that message. Add in the hashing component of digital
signatures and you’ve got a winning combination, as discussed back in Module 2-6.
Digital Certificates and PKI Structure
This section explores how a basic public key infrastructure organization works, describing some of the elements in a PKI, such as the certificate and registration authorities,
as well as the certificate revocation list. First, however, we’ll take another look at digital
certificates and describe them in more detail.
Digital Certificates
As mentioned earlier, digital certificates are simple electronic files. The X.509 and PKCS
standards determine the specific formats for digital certificates, as well as the file types
and formats. Digital certificates come in a variety of file formats, including those with
.cer and .pem file extensions. (We’ll cover all of these in detail in Module 11-5.) Additionally, there is a variety of types of certificate files, and each of these may fulfill a unique
function in a PKI, such as a certificate request file. Digital certificates can be stored on
several types of media, such as USB sticks, mobile devices, internal computer storage,
and even centralized repositories on a network or the Internet.
02-ch02.indd 124
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-7: Public Key Infrastructure
125
Certificates come in a variety of types, each type serving one or more purposes such
as the following:
•
•
•
•
Signing and encrypting e-mails
Identifying and authenticating networks
Identifying servers
Digitally signing software, verifying its authenticity from a publisher
Certificates typically contain a variety of information, known as certificate attributes,
including the public key of the individual and information that identifies that person,
the issuing organization, and valid dates and functions for the certificate to be used
(Figure 2-28). Cryptographic systems can use certificate attribute filters to allow or deny
specific access. A filter might examine the organization (O) attribute and allow only
traffic that comes from Total Seminars, for example.
EXAM TIP The CompTIA Security+ SY0-601 objectives use specific wording
on this topic. So a common use case for cryptography is supporting
authentication. Certificates clearly accomplish this goal.
Figure 2-28
A digital
certificate
02-ch02.indd 125
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
126
Certificate Life Cycle
Managing a digital certificate from issuance, through use, and finally disposal refers
to the process of managing the certificate over its life cycle. That life cycle follows four
main stages:
1. Registration by an entity
2. Issuance of certificate from certificate authority
3. Maintenance by the certificate authority
4. End of life through expiration, suspension, or revocation
The sections below explore both the life cycle stages and the entities involved. We’ll
look at certificate registration, certificate authorities, certificate servers, and certificate
end of life features.
Certificate Registration A certificate’s life cycle begins when a user registers to receive
a certificate. The person requesting the certificate must provide valid identification to
the certificate authority (CA), the entity that issues and controls the digital certificates.
Registration usually means the user must present identification that the issuing organization
authenticates, thus verifying the person’s identity. Valid forms of identification that a
requester may submit include her driver’s license, birth certificate, passport, photographs,
and any other identification that the issuing organization requires. Once a user has
submitted the required identification, the CA decides whether to issue the certificate and
under what circumstances.
NOTE Before issuing a certificate to an individual, the certificate authority
must verify the individual’s identity.
Certificate Authority As just mentioned, the certificate authority issues and controls
digital certificates. The CA might be a commercial organization, such as GoDaddy, or it
could be the user’s organization. Often, private organizations have internal CAs that issue
digital certificates used specifically within the logical bounds of the organization. The CA
also manages the certificate server (sometimes called the CA server), the host computer
that generates keys and produces digital certificate files.
The CA normally handles all user registration, identification, and validation processes,
and it issues digital certificates to the user. In larger organizations, to help balance the
workload for the CA, registration functions may be delegated to a separate registration
authority (RA), which verifies user identities and then passes the information on to the
CA for certificate generation.
The CA makes decisions on whether to issue the certificate, under what circumstances,
and with what caveats. When an entity requests a certificate, it submits a certificate signing
request (CSR). The CA reviews the CSR, which contains the information that will be
embedded in the digital certificate, including the public key, organization name, common
02-ch02.indd 126
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-7: Public Key Infrastructure
127
Root CA
Root CA
Intermediate CA
Subordinate CA
Subordinate CA
Subordinate CA
End entity
certificate
End entity
certificate
End entity
certificate
Subordinate CA
End entity
certificate
End entity
certificate
End entity
certificate
Figure 2-29 Simple CA hierarchy
name, and so on. The CA then generates a certificate for the requesting entity. That
certificate is called an end entity certificate. After generating certificates, the CA must also
perform actions on them, such as renewing, suspending, or revoking them, as needed.
EXAM TIP
A certificate authority (CA) is the primary element in PKI.
Depending on a host of factors, such as geographical considerations, supply chains, and
so forth, a “single” CA—the root CA—creates a hierarchy of trust to subordinate CAs.
The subordinate CAs have a chain of trust with the root CA; they in turn grant the end
entity certificates. Additionally, a subordinate CA might also need its own subordinate
CAs. The CA in the middle of the chain is called an intermediate CA (Figure 2-29).
Certificate Servers Smaller organizations may use only one or two servers that manage
all their certificate needs. Larger organizations, however, may have an entire hierarchy
of servers. At the top of this hierarchy is the single master server, called the root CA
server. The root issues its own self-signed certificate, unless the organization purchases and
receives one from an external certificate authority. Whether self-signed or received from
an external CA, the root CA server has the root certificate for the organization. All other
certificates in the hierarchy derive from this trust point.
NOTE Module 11-5 goes into much more detail on the various types of
certificates. This module is an overview to help make PKI concepts make
sense.
The root CA server can also issue certificates for any other use, but it typically issues
trusted certificates only to intermediate or subordinate servers. These intermediate
02-ch02.indd 127
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
128
Figure 2-30
A hierarchy of
certificate servers
Root CA
Intermediate CA
User
Authentication
Certificate CA
E-mail
Certificate CA
Intermediate CA
Code Signing
Certificate CA
servers may perform all the different certificate authority functions, or they may perform
only very specific functions, depending upon the needs of the organization. Normally,
once an organization has set up intermediate or subordinate servers, they take the root
CA server offline to protect it against possible compromise. The root CA server may
be brought back up online only occasionally for maintenance or to update certificate
information. Figure 2-30 shows a typical arrangement of a hierarchy of certificate servers
in an organization.
NOTE An organization normally takes the root CA server offline after setting
up intermediate and subordinate CA servers, to prevent compromise of
the server and the root certificate. If the root certificate is compromised,
all subordinate certificates that have been issued or signed by the root are
also considered compromised and should be treated as no longer valid
or trustworthy.
Certificate Expiration, Suspension, and Revocation Certificates do not last forever.
Certificates remain valid only for a specific period of time, and after that time they expire.
This is because, like passwords, certificates could be compromised. Certificate expiration
enables a user and the CA to monitor certificate compromise and periodically reissue
certificates to ensure that a compromised certificate isn’t used over long periods of time.
CA rules determine certificate lifetimes. An average time might be three years, but
it may be a longer or lesser period, depending upon the circumstances under which
the certificate was issued. For example, a temporary employee might receive a digital
certificate that’s good for only a year. Before a certificate expires, the user and the issuing
organization must take steps to revalidate the user, as well as their need for the certificate,
and reissue it. A user cannot use an expired and thus invalid certificate. Most browsers
and applications will display errors when trying to use or accept an expired certificate.
Figure 2-31 gives an example of an expired certificate.
02-ch02.indd 128
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-7: Public Key Infrastructure
129
Figure 2-31
An expired
certificate
Certificates can lose their validity even before their expiration dates. This usually
requires some intervention from the CA and is usually because of adverse circumstances.
A certificate may be suspended, which renders it invalid for a temporary, indefinite time
period. Normally a certificate would be suspended if the user is on extended leave, or
during an investigation, for instance. Suspending a certificate means that it could be
reinstated, allowing a user to continue using the certificate, but only if and when the CA
makes a conscious decision to do so.
Revoking a certificate, on the other hand, means that the certificate is permanently
rendered invalid. Once a digital certificate has been revoked, it can’t be reissued or reused.
The CA might revoke a certificate if a user no longer needs it, if the user has been
terminated or retires, or if the certificate has been misused or compromised in any way.
If a certificate has been revoked, the CA must reissue a totally different certificate to the
user if the CA determines that the user requires it.
The CA publishes a certificate revocation list (CRL) that contains the certificates the
entity has issued and subsequently revoked. Users can access this list to determine the
validity of a certificate. If a certificate has been revoked, it is considered no longer valid
02-ch02.indd 129
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
130
Figure 2-32 A small sample of a CRL entry from Verisign
and cannot be used. Certificate revocation lists can be published online, or they can be part
of an automated process that application software checks from a centralized repository.
Similarly, the Online Certificate Status Protocol (OCSP) is used to automate certificate
validation, making checking the status of certificates seamless and transparent to the user.
Most modern browsers and other applications that use digital certificates can use OCSP
to check CRLs automatically for certificate validity. A sample from a CRL, downloaded
to a user’s browser, is shown in Figure 2-32.
OCSP permits users (through Internet browsers and other certificate-aware
applications) to check for certificate expiration, suspension, and revocation before the
certificate is accepted. In Figure 2-33, you can see an example of a revoked certificate,
which in this case is a famous example of a certificate erroneously issued to a fraudulent
party claiming to be Microsoft. The certificate was quickly revoked after the error was
discovered.
02-ch02.indd 130
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-7: Public Key Infrastructure
131
Figure 2-33
A revoked
certificate
EXAM TIP Suspended certificates can be reused after the organization
determines it is safe to reactivate them. Revoked certificates are never
reused and are considered invalid forever.
Key Safety
Keys in PKI encrypt and decrypt data; losing a key means losing access to any data
encrypted by the other key in the pair. That would be a bad thing! Two key management
options protect organizations from such a loss, recovery agents and key escrow.
Recovery Agent
A recovery agent is a designated person or entity who has the authority to recover lost
keys or data in the event the person holding the keys is not available. Recovery agents
can work in a few different ways. One way requires the individual to store his private key
in a secure area that a recovery agent can access in the event the individual is terminated
or unavailable to decrypt data, for example, that had been encrypted with his private
key. This would be the least desirable way, however, since non-repudiation would suffer
02-ch02.indd 131
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
132
because private keys are supposed to be kept private and confidential and accessible only
by the user. Another, more common way would be to have the recovery agent maintain
a different key that can decrypt any data encrypted by an individual.
Key Escrow
As you’ll recall from Module 2-1, key escrow is the practice of maintaining private keys,
sometimes by an independent third party, so that they can be accessed in the event individuals are not able or unavailable to use them to recover data that has been encrypted.
Organizations should approach this practice with caution, however, because, as mentioned previously, this can create issues with non-repudiation. Before an organization
puts key escrow into practice, it should identify a secure, carefully executed, and transparent method of key escrow. An organization may want to implement key escrow to
guard against the possibility that an individual will encrypt sensitive data and then leave
the company suddenly, without a way for the organization to recover the data.
Trust Models
Most commercial certificate authorities are generally trusted by most browsers and applications, since their root certificate is usually contained in the root certificate store of
most devices. Private CAs, however, such as an internal CA that issues certificates only
to its own employees, may not generally be trusted by outside organizations. This would
render the certificates they have issued as untrusted by anyone outside their own organization. Because of this, some trust models have evolved over the years to enable organizations to take advantage of each other’s digital certificates, permitting some level of trust
between them. Let’s look at three trust modules:
• Hierarchical trust
• Cross-trust
• Web-of-trust
Hierarchical Trust
A hierarchical trust is normally found within an organization, particularly a larger organization, and involves trust in digital certificates within organizational boundaries. Often,
there are intermediate or subordinate CAs within a large organization that must trust
each other. One subordinate CA may issue e-mail certificates, for example, and another
may issue code-signing certificates. All the certificates, however, can be traced back and
trusted through the originating root CA. This is possible with a hierarchical trust model,
such that all subordinate and intermediate CAs trust each other because they trust the
original root CA. Look again at Figure 2-29, shown earlier, as an example of a hierarchical trust model.
Cross-Trust
A cross-trust model is often used between two different organizations. In this trust model,
organizations typically have their own certificate authorities and issuing servers. However,
02-ch02.indd 132
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
133
because of business partner arrangements, they must trust each other’s certificates so that
their personnel can authenticate to access resources in each other’s security domains. A
cross-trust model enables organizations to have their root CAs trust each other (and the
certificates they generate) or even have specific subordinate CAs trust each other. This
type of trust can be open to any certificate or limited only to very specific certificates
issued under particular circumstances.
Web-of-Trust
A web-of-trust model is not typically used in a PKI. You’ll most often see this type of
model used in smaller groups or organizations, typically in those that allow individual
users to generate their own public and private key pairs. The use of Pretty Good Privacy
(PGP) and Gnu Privacy Guard (GPG) between small groups of users is a prime example
of a web-of-trust. In this model, there is no central issuing authority that validates user
identities. It is left up to each individual user to trust another user’s certificates. While
this works well in small groups, where each user has some level of assurance of the identity of another user, it’s typically not scalable to large groups of people or organizations.
Module 2-8: Cryptographic Attacks
This module covers the following CompTIA Security+ objectives:
• 1.2 Given a scenario, analyze potential indicators to determine the type
of attack
• 1.3 Given a scenario, analyze potential indicators associated with
application attacks
• 2.8 Summarize the basics of cryptographic concepts
• 4.1 Given a scenario, use the appropriate tool to assess organizational security
Cryptanalysis, the science of breaking encryption, is as old as encryption itself. From
Louis XVI at his palace in Versailles to the latest state-sponsored attacks, encryption has
been successfully attacked many times. This module looks at some of the more common
cryptographic attacks and the tools used to perform them. Understanding these attacks
and their tools provides a better understanding on how to keep data secure. (Plus, it’s
really fun to crack stuff!)
The module starts with a general discussion of attack strategies and then examines
attackable data. The third section explores password-oriented attacks and the tools
commonly used in the attacks. The fourth section describes how to defend password
storage. The module finishes with a look at a few attacks unrelated to passwords.
Attack Strategies
Every cryptosystem has an underlying algorithm, a key (or in the case of hashes, a digest),
or some implementation of the cryptosystem itself, all of which the attacker understands.
02-ch02.indd 133
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
134
All cryptographic algorithms are known and rarely change, in accordance with Kerckhoffs’ principle (introduced in Module 2-1). Every cryptographic attack starts by careful
inspection of the cryptosystem and aggressively probing and experimenting to find some
form of weakness in one of those three aspects.
NOTE Every cryptosystem currently in use has countries, universities,
private organizations, and individuals who constantly experiment with
them, looking for weaknesses. We need this research so that a weakness
may be discovered and shared with others in IT security and adjustments
may be made.
Attack the Algorithm
Every cryptographic algorithm is crackable given enough time to research. This is why
organizations and agencies such as the National Security Agency (NSA) update encryption standards every few years. As of this writing, the only symmetric encryption algorithm that has not shown any substantial weakness is AES. (Although that happy state
of affairs could have already changed between my typing and your reading of the printed
work!) The danger here is that many modern cryptosystems can use pre-AES encryptions
such as RC4 or DES. In this case, skilled cryptographers can crack a “secure” cryptosystem by attacking the underlying algorithm.
NOTE No secure Web server package will easily allow you to use non-AES
encryptions.
Attack the Key
Given that virtually every cryptosystem uses some form of key, it’s obvious that cryptanalysis will look at the key for weaknesses or, more importantly, attempt to determine
the key simply by attacking at the ciphertext. One of the great weaknesses is key length.
Modern increases in computing power make it easier to crack keys that were once considered too long to crack.
Consider a bike lock with only four wheels versus a bike lock with many more than
four (Figure 2-34). Which of these is faster to crack? The same concept applies to keys.
Taking a piece of ciphertext and trying every possible key until something that looks like
plaintext appears is a brute-force attack. (More on that type of attack shortly.)
DES has an effective key length of only 56 bits. That means it has a key space (the
total number of possible keys) of 256 or 72,057,594,037,927,936 different combinations.
This number seems like an impossibly large number of combinations, but specialized
computing systems like the Electronic Freedom Federation’s Deep Crack cracked a DES
key in 22 hours … back in 1998. Today, a high-end desktop computer’s processing power
isn’t too far from that same power.
02-ch02.indd 134
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
135
Figure 2-34
Two bike locks—
which is easier to
crack?
Attack the Implementation
Some implementations of new cryptosystems have some inherent flaw that causes an
unanticipated weakness that is no fault of the underlying algorithm. Wired Equivalent
Privacy (WEP) was marketed as a complete 802.11 encryption cryptosystem, introduced with the first generation of 802.11 wireless access points (WAPs) in 1999. Widely
adopted, within a year cryptographers discovered that WEP poorly implemented the
way it used the underlying RC4 encryption. That flaw enabled a simple cryptanalysis to
derive the key simply by collecting enough encrypted data.
NOTE WEP was not a true encryption mechanism, but instead provided
the expectation of privacy the users would get from a wired network
connection. In practice, as noted, it quickly failed to protect much
of anything.
Attackable Data
No cipher attack is going to work if you don’t have access to something crackable. This
crackable data can be divided into two different types: ciphertext or hashes. Before we go
about attacking anything, let’s first create two example scenarios: one with ciphertext and
another with hashes. Then we’ll attack.
Ciphertext Scenario
Let’s use a simple example of an 802.11 network encrypted with Wi-Fi Protected Access
Pre-Shared Key (WPA-PSK). When a client connects to a WAP, the client goes through
a simple handshake procedure that determines that each side stores the same PSK. This
process does not transmit the key, but contains enough information to provide the key
to a skilled hacker. Programmers have developed applications that can capture WPA
handshakes. Figure 2-35 shows the popular Aircrack-ng program grabbing a handshake.
02-ch02.indd 135
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
136
Figure 2-35 Aircrack-ng grabbing a WPA handshake
NOTE An online attack is executed against data in transit. An offline attack is
done against data at rest.
Once this handshake is captured, the attacker has a value upon which to apply a
128-bit key. If the attacker places the correct 128-bit key, she can determine the PSK.
Hash Scenario
Many cryptographic attacks target cracking passwords. Let’s start this scenario with a
review of the where, how, and why of passwords.
A computer system or application that requires password authentication must contain
a database or table of passwords. Because these password tables are potentially vulnerable
to anyone with the technical knowledge to locate them and try to crack them, storing
a plaintext password is dangerous. It is extremely common, therefore, not to store the
password itself, but instead store a cryptographic hash of the password in the database.
The following is a sample of a hypothetical password list, consisting of four user
names with their associated passwords stored as MD5 hashes. How can you tell they
are MD5? Simply by counting the number of characters! This sample could be used for
many applications. This example uses a text file; a password list could be a text file, a
binary file, a cookie, or registry settings, depending on the application or the operating
system that uses the passwords.
Mike, bd4c4ea1b44a8ff2afa18dfd261ec2c8
Steve, 4015e9ce43edfb0668ddaa973ebc7e87
Janet, 8cbad96aced40b3838dd9f07f6ef5772
Penny, 48cccca3bab2ad18832233ee8dff1b0b
Once you have the hashes, you can hash every possible conceptual password to see if you
can match the hash.
02-ch02.indd 136
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
137
Attack Scenarios
The ciphertext and hash scenarios previously presented have common features. Both rely
on a single data point: either ciphertext or a hash. Both have a clearly understood algorithm: WPA and MD5. Finally, you can use an attack to apply a key to obtain plaintext.
But how do bad actors perform this attack? What tools do they use to read that ciphertext
or hash and try to extract the plaintext key or password? They use programs called password crackers or password recovery tools to perform these password attacks.
Password crackers have legitimate use in assessing organizational security and recovering
forgotten passwords. Such tools belong in every network security professional’s toolbox.
In the wrong hands, though, tools to help can readily turn into tools to harm.
Password crackers come in a broad assortment of functions and interfaces. A Linuxbased attacker, for example, uses Jack the Ripper or Hashcat (Figure 2-36). A Windowsbased attacker might employ the venerable Cain & Abel (Figure 2-37).
Figure 2-36 Hashcat
02-ch02.indd 137
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
138
Figure 2-37 Cain & Abel
In general, all these tools follow similar patterns. First, they grab the ciphertext
or hashes you want to attack. Second, they analyze the data to determine the type of
encryption (or they know the encryption by the source). Finally, they give you the option
to attack in most, if not all, of the ways listed in this module.
Let’s look at five common attack types that apply to these password-based scenarios:
•
•
•
•
•
Brute-force attack
Dictionary attack
Rainbow-table attack
Password spraying attack
Plaintext/unencrypted attack
NOTE There is no such thing as a do-it-all single password cracker. There
are hundreds of different password crackers, each with a different niche
depending on your needs.
Brute-Force Attack
A brute-force attack is the simplest and least-efficient type of attack against known
ciphertext/hashes. A brute-force attack attempts to derive a password or key by inspecting either ciphertext or a hash and then trying every possible combination of key or hash
until it can decrypt the plaintext or generate a match. The challenge to brute force is the
total number of iterations necessary to try every possible key combination. Consider a
captured WPA handshake. The key is 128-bit, so it can go from 128 zeros to 128 ones,
plus all the combinations in between.
02-ch02.indd 138
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
139
So, how long does it take to try 2128 combinations? Longer means more combinations
and therefore harder, so 2128 is equal to
3.40282366920938463463374607431768211456 × 1038
That’s a huge number, but computers are powerful. A single, very high-end Intel
Core i7 can process at half a trillion floating point operations per second (FLOPS), and
you can readily source a computer with a lot of these CPUs. Additionally, password
crackers are carefully optimized to take advantage of all those FLOPS. In fact, the better
crackers can even take advantage of powerful graphics processing units (GPUs) on video
cards as well as special-purpose application-specific integrated circuit (ASIC) devices that
work hundreds or even thousands of times faster than a CPU (Figure 2-38).
So, without spending outrageous text on the intricacies of CPUs, FLOPS, GPUs, and
such, we can arguably say that a very high-end cracking system could process 1 trillion
cracking attempts per second. It would take something like 10,790,283,070,806,014,188
years to try every possible key. If that seems like an impossibly long time to you, it is.
Keep in mind that the key might be all zeros, which means you will get the WPA key on
the very first try. Alternatively, the key might be all ones, which means you would have
to try all 2128 combinations.
This might make you think that brute force is useless, and it is for relatively large
keys. Shorter keys, however, can easily be cracked. For example, a 56-bit DES key can
be cracked (using the preceding assumptions) in about 20 hours. As computing power
increases, what was once a long key or hash becomes short. That’s why keys and hashes
get longer and longer over the years.
Figure 2-38 Typical ASIC
02-ch02.indd 139
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
140
But even if we can run a brute-force attack in hours, why not come up with attacks
that speed up the process? How can we narrow down the possible number of keys to try?
Dictionary Attack
Easily the weakest aspect to passwords is the fact that human beings create them. People
produce passwords like this one:
Password123
This is a great password, right? It mixes upper- and lowercase letters and numbers.
Hmm … not so much when it comes to modern cryptographic attacks.
People rarely create a password that looks like this:
1x3^^7vEssde6)
That’s a far more awesome password, but it’s just not what typical people create.
With this thought in mind, we can tell our cracking program to read a text file filled
with all the common words in the (in this case) English language—a dictionary file. The
cracking software will then use this dictionary file instead of brute force in a dictionary
attack. Here is a tiny, tiny piece of a dictionary file downloaded from the Internet:
A
AA
AAA
AAAA
a
aa
aaa
aaaa
As you can see, most dictionary files include lots of non-words as well. That’s because
non-words like “AAAA” or “QWERTY” or “NASA” are commonly used for passwords.
A small dictionary file might only store a few million passwords. The largest dictionary
files contain many millions of passwords.
NOTE If you recall the discussion of password policies from Chapter 1, you
might see a nice attack opportunity here. A perpetrator who obtains a copy
of an organization’s security policies could readily see specific password
policies. If the policy sets password length to 16+ characters, for example,
the perp won’t waste time or computational power on shorter passwords,
but rather cut straight to the chase.
Good dictionary attack tools don’t try only passwords in the dictionary list. Check out
the dictionary attack settings for Cain & Abel in Figure 2-39. Note the options that allow
you to modify the dictionary. If your dictionary file has the word cheese, for example,
Cain & Abel will let you
• Reverse the word: eseehc
• Double pass: cheesecheese
02-ch02.indd 140
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
141
Figure 2-39 Cain & Abel dictionary options
•
•
•
•
•
Uppercase to lowercase: not applicable, as cheese is all lowercase
Lowercase to uppercase: CHEESE
Number substitution: ch33s3
Case permutations: Cheese, cHeese, etc.
Add one or two numbers to the end: cheese1, cheese44
You can argue that these options add a brute-force aspect to a dictionary attack.
A dictionary attack combined with brute-force options such as these is called a
hybrid attack.
NOTE As a quick mental exercise, ask yourself this question: Would the Cain
& Abel tool be able to derive any of the passwords you use?
02-ch02.indd 141
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
142
Figure 2-40
Hydra in action
Keep in mind there’s a huge difference in the quality of dictionary files. I keep a set
of dictionary files, accumulated over the years from many sources, sorted by length of
password, lowercase/uppercase, special characters, numbers in front, and so forth. With
good dictionary files, good understanding of the tools, and belief in the laziness of people
to use poor passwords, I can crack most any offline password in a few hours, a classic
offline attack scenario.
What if you don’t have any ciphertext to attack? What if you just want to try a few
million passwords to try to log into a Web site? That’s a classic online attack situation and
it’s no problem! There are plenty of online dictionary attack password crackers such as
the popular Hydra (Figure 2-40). Online attacks are slow, but it’s easy to start an attack
and let it run for days or weeks.
Rainbow-Table Attack
The challenge to dictionary attacks, particularly when you are trying to crack hashed
passwords, is the fact that you have to take a word in the dictionary, hash it, then compare
the hash to the hash in the password file. You could include hash values for all the entries
in a dictionary file using common hashing algorithms to increase the effectiveness of a
dictionary attack. The SHA-256 hash for “password” will always be
5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8
So, what if we edited our dictionary files to include the hash? Sure, it might take weeks
to generate the billions of hashes and save them in our dictionary file, but once it’s done,
02-ch02.indd 142
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
143
Figure 2-41
Simple dictionary
files with hashes
are too massive
for practical use.
Whoa!
Way too big!
we have a file that includes the dictionary word as well as the hash. Such a dictionary file
would start like this:
a, ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb
aa, 961b6dd3ede3cb8ecbaacbd68de040cd78eb2ed5889130cceb4c49268ea4d506
aaa, 9834876dcfb05cb167a5c24953eba58c4ac89b1adf57f28f2f9d09af107ee8f0
aaaa, 61be55a8e2f6b4e172338bddf184d6dbee29c98853e0a0485ecee7f27b9af0b4
Using such an inclusive dictionary file could make a dictionary attack brutally effective.
Except there’s a huge problem. Files like these are massive, potentially in the hundreds of
petabytes range for dictionary files that include really long passwords. They are simply
too big for practical use (Figure 2-41).
Math comes to the rescue! Using complicated math well outside the scope of the
CompTIA Security+ exam, a password cracker can create a rainbow table, a dramatically
reduced-sized dictionary file that includes hashed entries.
NOTE Online vs. offline, which is better? You can run brute-force, dictionary,
and rainbow table attacks either way, but offline is faster if you have a key.
Rainbow tables are binary files, not text files. Figure 2-42 shows the contents of one
set of rainbow tables, designed to help crack the old Windows XP–style List Manager
passwords files. Rainbow tables for more advanced operating systems can be much larger,
although always much smaller than a traditional dictionary file with hashes.
02-ch02.indd 143
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
144
Figure 2-42 Rainbow tables for Windows XP passwords
Rainbow tables were long the first choice for cracking passwords; such attacks are fast
and generally very successful. Rainbow tables were so popular that you can find online
services that let you load hashes to crack, and powerful systems will crack a password for
just a few dollars (Figure 2-43). (Or, you can use GPU brute force, which is how modern
hackers do it.)
Password Spraying Attack
In a password spraying attack, an actor applies a few common passwords to many accounts
in an organization. By applying “123456” or “password1” to 100 different accounts, for
example, the attacker tries to find an entry into the network while avoiding lockouts and
remaining undetected. Single sign-on (like in a Windows domain) and cloud accounts
provide the most tempting targets of password spraying.
Plaintext/Unencrypted Attack
Attackers can use packet sniffing software to monitor and capture traffic on a network.
If passwords are sent in plaintext or unencrypted, it’s game over instantly. Depending on the encryption strength, attackers can decrypt a lot of encrypted traffic given
02-ch02.indd 144
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
145
Figure 2-43 One of many online cracking services
enough time. CompTIA uses the term plaintext/unencrypted as a type of password attack,
but it’s more commonly referred to as a generic packet sniffing attack.
EXAM TIP The simplest and most effective password attack is to ask the user
for his password. It works (allegedly, not that I’ve done anything like this!).
Defending Password Storage
Between brute-force, dictionary, and rainbow attacks, traditional hash password storage
has been under prolonged attack, making it important for cryptographers to come up
with methods to make password storage more robust against these attacks. Salts and key
stretching offer protections.
Salts
A salt is an arbitrary value, usually created by the application or operating system storing passwords, added to the end of a password before it is hashed. If a user’s password is
1234567, for example, a system might add an eight-character preset value, a salt, to the
end of the password as such:
1234567akxcf3sf
When hashed (in this example SHA256), it looks like this:
a75f22d3cd5aea740f2a17b0275bfacd0c822aca
02-ch02.indd 145
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
146
Salts defeat rainbow tables simply because (hopefully) there are no rainbow tables
that include dictionary terms plus the string akxcf3sf. Salts are common in just about
everything that stores passwords. The downside is that a salt must be stored. If someone
had access to your hashes, they also have access to the salt. They can run dictionary
attacks, but now they must add the salt every time and recalculate the hash, slowing
cracking down immensely. Also, it is possible to grab a salt and re-create a rainbow table,
although this is also a slow process.
EXAM TIP All modern operating systems use salts in password storage. You’ll
see the term “salting” on the CompTIA Security+ exam to mean “using a salt.”
Cryptosystems often use a nonce instead of, or along with, a salt to enhance security.
A nonce is a number used once that helps in the transmission of shared keys, among many
other uses. Because it’s used once and not repeated, a nonce prevents common attacks—
called replay attacks—from cracking encryption.
Key Stretching
Another trick used to make cracking harder is key stretching. Keys are almost always generated from some plain English password. If we just hash the password, it doesn’t take a
lot of time for an attacker to pick a potential password, hash it, then compare the results
to a password hash file. But what if we were to make the process by which a key is derived
from a password more complex? We can do so with a key derivation function. What if,
for example, we hashed an initial password five times to then derive the key? This would
require the attacker to run not just one hash, but five hashes for every iteration. Using
key derivation functions that intentionally slow this derivation of keys is key stretching.
There are several key stretching key derivation functions; two stand out: PBKDF2
and bcrypt.
Password-Based Key Derivation Function 2 (PBKDF2) combines adding a very long salt
and a huge number of hashing iterations to make a key. PBKDF2 doesn’t set the number
of hash iterations. Some operating systems that employ PBKDF2 use 10,000 iterations!
bcrypt generates hashes based on the Blowfish cipher. In many ways similar to
PBKDF2, it also has flexible hash iterations. bcrypt has a very long key derivation process
and is considered stronger than PBKDF2.
Other Attack Options
Several types of cryptographic attacks deviate from the crack-the-password variety. This
section explores three such attack types:
• Collision attacks
• Known-plaintext attacks
• Implementation attacks
02-ch02.indd 146
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-8: Cryptographic Attacks
147
Collision Attack
A collision attack exploits the fact that hashes have a finite size, and there will be
times when two different values create the same hash, a hash collision (as described in
Module 2-5). Given that hashes provide integrity, an attacker may take advantage of
collisions to do harmful things. For example, if an attacker can create a collision with a
digital signature; she doesn’t need to know the actual private key, just a value to make an
identical signature.
There’s no magic to creating a collision. You use brute force on millions of hashes until
you get one that collides. This is a big job, but there are some interesting aspects of hashes
that make it a bit easier. The most well-known is the birthday attack.
It seems that every undergraduate statistics class begins with the teacher looking out at
his or her class and saying, “There are 30 students in this classroom. What are the odds
that two people share the same birthday?” They are surprisingly high; for 30 students,
about 70 percent.
The same situation happens with hash collisions. A 64-bit hash has approximately
1.8 × 1019 different outputs. While this number is huge, the goal here is to find another
identical hash. That’s where the birthday statistic applies. It only takes roughly half
(5.38 × 109) to generate a collision using brute force.
Known-Plaintext Attack
A known-plaintext attack isn’t a true attack as much as it is an attack strategy. If you
have both a known plaintext and the ciphertext, you can sometimes derive the key
itself. Known-plaintext attacks have worked many times in the past. It’s how the British
cracked the Nazi Enigma code in World War II. Military messages followed rigid forms,
for example, so some words would always be in the same relative place. Messages would
end with Heil Hitler, in other words, and wetter (weather) was consistently placed.
Implementation Attack
Any cryptosystem has weaknesses or aspects that attackers may use to help them. Attacking the WEP weakness described earlier is a classic example of a weak implementation
attack. Download and replay attacks exploit weaknesses in implementation.
Downgrade Attack Almost all of today’s cryptosystems give a client multiple ways to
access a system. One of the best examples is TLS. A Web server using TLS supports several
authentication and encryption methods to give flexibility for different Web browsers. In
TLS, a client and a server traditionally request the most robust encryption. In a downgrade
attack, the attack makes a legitimate request to the Web server to use a weak, deprecated
algorithm that’s easier to crack (Figure 2-44) in hopes of then successfully getting keys,
passwords, and so forth.
NOTE A deprecated algorithm is an algorithm deemed obsolete or too
flawed for use by the IT community. Deprecated means no one should use it
in the future.
02-ch02.indd 147
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
148
Figure 2-44
Downgrade
attack against TLS
I offer 256-bit AES
encryption!
Can I just use
DES?
Web Server
Replay Attack In many situations, an attacker can sniff or capture traffic on a network,
monitoring the different communications taking place. A replay attack is an attack where
the attacker captures some type of legitimate traffic and resends it as needed to do
something malicious. Here’s an example:
Bob: “Hey Joe, I need you to send the encryption keys for this session to me.”
Joe: “Okay, Bob, here you go.”
Bad Guy Mike: “Hey Joe, I need you to send the encryption keys for this session to me.”
Joe: “Okay, Bob. I thought I just did, but whatever. Here you go.”
Bad Guy Mike: “Mwuhuhahahahaha….”
NOTE True replay attacks tend to be more complicated than the Bad Guy
Mike scenario. A hacker might steal all the back and forth in a certificate
exchange, for example, and then boot the originator off just before completion.
Then the hacker would resend the same stream. But you get the idea.
Module 2-9: Other Cryptosystems
This module covers the following CompTIA Security+ objective:
• 2.8 Summarize the basics of cryptographic concepts
Several cryptosystems—current and speculative—fall outside the classic paradigms
of symmetric and asymmetric cryptosystems. Depending on the field you wind up in as
an IT security professional, you might encounter and need to work with one or more of
these non-classical cryptosystems. This module explores four cryptosystem fields:
•
•
•
•
02-ch02.indd 148
Homomorphic encryption
Blockchain
Quantum cryptography
Post-quantum cryptography
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Module 2-9: Other Cryptosystems
149
Homomorphic Encryption
A clear challenge to storing data in the cloud is ensuring that personal data remains
private. An organization cannot risk the possibility that an individual’s medical data, for
example, could be shared or mined or even known without the explicit permission of
the individual. Cryptographers have kicked around the problem and sought solutions
since the late 1970s, but the beginnings of practical answers finally came in 2009 with
the publication of Craig Gentry’s Stanford University PhD thesis, “Fully Homomorphic
Encryption Using Ideal Lattices.” We’ll spare you the details on how Gentry’s initial
scheme worked and how subsequent developments (with input from other awesome
cryptographers) made current cryptosystems work.
Homomorphic encryption enables manipulation of encrypted data—without
decrypting—that then applies to that data when it’s decrypted. Wrap your head around
that for a moment. Private, encrypted data can be outsourced to the cloud without
compromising the privacy of that data. It means researchers can run analytical scans on
encrypted data, get amazing amounts of information, and never compromise the private
records of individuals.
Cryptographers see the current state of homomorphic encryption as the third
generation. Gentry and his collaborators continue to innovate in the field. The world
awaits the future.
Blockchain
E-commerce on the Internet relies on hierarchical cryptosystems. Certificate authorities
(CAs) provide certificates to organizations; that creates trust. We can buy from https://
amazon.com or https://linengarb.com with trust that our financial information (credit
card numbers and such) won’t be compromised. Encryption, hashing, and other
aspects of cryptography provide the secure connection between our computers and the
e-commerce servers. Moreover, traditional institutions such as banks and credit card
companies facilitate the flow of our money to vendors. Users of e-commerce, therefore,
rely heavily on institutions that are not the seller.
Blockchain radically disrupts this model, creating a decentralized, peer-to-peer system
for secure interaction between buyer and seller. Here are the details.
The shadowy figure Satoshi Nakamoto—real identity unknown—invented blockchain
in 2008 to support the bitcoin cryptocurrency. Bitcoin is a topic for a whole other book,
but in a nutshell, it’s money, called cryptocurrency, that’s not tied to any bank or nation
state. Blockchain provides the peer-to-peer record—public ledger, in bitcoin speak—of
all the transactions among people using bitcoin. You buy a pizza and pay for it using
bitcoins, for example; that transaction goes into all the computers connected into the
blockchain. The pizza joint now has bitcoins to spend on something else available in
the market.
Bitcoin and blockchain rely on public key infrastructure (PKI) cryptosystems to ensure
safe storage of the currency and the transactions as well. You know about PKI from
previous modules. Everything you learned applies here. Private keys must stay private (or
else your bitcoins will get stolen); public keys are just that, public. Encryption/decryption
works the same.
02-ch02.indd 149
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
150
The fundamental difference between traditional e-commerce and commerce
conducted with bitcoin and blockchain is the decentralized structure of the latter.
Quantum Cryptography
The nascent field of quantum cryptography uses the vast power of quantum computers
to fundamentally transform cryptosystems used today. Huh? The math works, but the
machines barely exist today. Here’s the scoop in layman terms.
Researchers postulate that we can build computers that can transmit data based on
qubits, rather than simple binary digits. A qubit is a particle that’s a binary digit but
captured in time, so it’s almost a 1, for example, or transitioning to a 0. The math is a lot
more precise than the terms used here, of course. The key for security is that the state of
a qubit is fragile; a hacker intercepting a stream would get only 1’s and 0’s because the
qubits would collapse to the full binary state closest to its relative position. Think of this
as rounding up or rounding down, like in basic math.
This sounds like science fiction, but for relatively short distances, quantum computers
work. The field of quantum communication, for example, has established connections
between quantum computers over fiber-optic lines that regularly transact business using
quantum key distribution (QKD). The connection between Shanghai and Beijing banks
using quantum communication is over 2000 kilometers!
Quantum cryptography relies on quantum computers to accomplish a couple of
things. First, future complex quantum computers (theoretically) can easily crack modern
secure cryptosystems, especially RSA and Diffie-Hellman. Second, key distribution
using something called quantum entanglement holds the promise that it should become
completely secure, a positive development.
Quantum cryptography remains in the realm of theory, not practical application
today. The math works, but building machines that can handle the complexities involved
seems a decade or more in the future.
If quantum computing breaks much of classic cryptography, does this mean the end?
Not at all. Quantum computing may be wonderful at breaking classic “easy one way
but hard the other way” forms of encryption, but cryptographers are already preparing
for the future. The flip side to quantum cryptography, called post-quantum cryptography,
speculates cryptographic algorithms that can withstand any attack using quantum
computers. Wildly complex forms of encryption are already being developed, although
it will be years before any form of encryption algorithm will be forwarded for public use.
Questions
1. Which of the following types of algorithms encrypts specified sizes of groups of
text at a time?
A. Asymmetric
B. Symmetric
C. Streaming
D. Block
02-ch02.indd 150
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Questions
151
2. You must implement a cryptography system in your organization. You need to
be able to send large amounts of data quickly over the network. The system will
be used by a very small group of users only, and key exchange is not a problem.
Which of the following should you consider?
A. Asymmetric cryptography
B. Symmetric cryptography
C. Hybrid cryptography
D. Key escrow
3. Which of the following asymmetric algorithms uses a maximum key size of
4096 bits?
A. AES
B. Diffie-Hellman
C. RSA
D. ECC
4. Which of the following asymmetric algorithms is widely used on mobile devices
because of its low computational power requirements?
A. ECC
B. ElGamal
C. Diffie-Hellman
D. GPG
5. Which type of algorithm is typically used to encrypt data at rest?
A. Symmetric
B. Asymmetric
C. Streaming
D. Block
6. Which of the following places secrecy of the key versus secrecy of the algorithm as
the most important factor in developing secure and reliable cryptosystems?
A. Data Encryption Standard (DES)
B. Advanced Encryption Standard (AES)
C. Kerckhoffs’ principle
D. Digital Signature Algorithm (DSA)
7. Which of the following algorithms produces a 40-character message digest?
A. MD5
B. SHA-1
C. RIPEMD-128
D. Blowfish
02-ch02.indd 151
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 2
Chapter 2: Cryptography
152
8. If an individual encrypts a message with his own private key, what does this assure?
A. Confidentiality
B. Message authenticity
C. Integrity
D. Availability
9. Which of the following entities can help distribute the workload of the CA by
performing identification and authentication of individual certificate requestors?
A. Subordinate CA
B. Root CA server
C. Authentication authority
D. Registration authority
10. Which of the following serves as the master certificate server in an organization?
A. Intermediate CA server
B. Root CA server
C. Subordinate CA server
D. Kerberos KDC
Answers
1. D. Block algorithms encrypt entire groups of bits of text, usually of specific sizes.
2. B. In this scenario, symmetric key cryptography would probably be the best
choice, since the user group is very small and key exchange is not a problem. You
also have the requirements of speed and efficiency, as well as the ability to send
large amounts of data. All are advantages of using symmetric key cryptography.
3. C. RSA uses key sizes between 1024 and 4096 bits.
4. A. Elliptic-curve cryptography (ECC) is an asymmetric algorithm widely found in
use on mobile devices because it requires low amounts of computational power.
5. A. Symmetric algorithms are typically used to encrypt data that resides in storage.
6. C. Kerckhoffs’ principle states that reliable cryptosystems should depend upon
the secrecy of the key, rather than the secrecy of the algorithm.
7. B. SHA-1 is a 160-bit hashing algorithm that produces a 40-character hexadecimal
message digest, or hash.
8. B. If an individual encrypts a message with his private key, this ensures message
authenticity, since he is the only person who could have encrypted it.
9. D. The registration authority (RA) can help distribute the workload of the CA by
performing identification and authentication of individual certificate requestors.
10. B. A root CA server is the master certificate server in an organization.
02-ch02.indd 152
25/03/21 2:12 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
CHAPTER
Identity and Account
Management
3
Be who you are and say what you feel because those who mind don’t matter and
those who matter don’t mind.
—Dr. Seuss
Everything that is networking, everything that is the Internet, the whole reason to run
cables, set up routers, configure firewalls and applications, and sit on the phone for
hours with balky ISPs is really only to do one job: share resources. These resources are
Web pages, e-mail messages, VoIP conversations, games…. The interconnected world
has millions of resources for people to use to make work and leisure more convenient,
more efficient, more inexpensive … and more fun (Figure 3-1).
Resources are useless unless there’s someone or something accessing and using them.
A Web page has no value unless someone accesses it. A shared folder does nothing unless
users read, modify, and delete files stored in those folders. E-mail messages sit on a server
unread until you read them. Users must run client software to use those resources.
Offering a resource for anyone to use has major pitfalls. Users are at best ignorant,
often nosy, and at worst, downright evil (Figure 3-2). IT professionals manage how users
access the many resources.
This chapter dives deeply into identity and account management: using methods and
technology to control who accesses resources and what they can do with those resources
once they have access (Figure 3-3).
153
03-ch03.indd 153
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
154
All for sharing!
Figure 3-1
Lots of resources!
Web
Apps
Games
Disk
Storage
E-mail
Web
Pages
VoIP
This chapter covers various distinct aspects of access control in six modules:
•
•
•
•
•
•
Understanding Authentication
Authentication Methods and Access Controls
Account Management
Point-to-Point Authentication
Network Authentication
Identity Management Systems
I don’t want
to PAY for
this game.
So…Much
EVIL!!!!
Jane makes
more than
me!
Delete All?
Am I sure?
YES I AM.
Resource
Figure 3-2 Unmanaged access to resources is foolhardy.
03-ch03.indd 154
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-1: Understanding Authentication
155
Figure 3-3
Controlling
resources
Wait. Who are you?!?!?
No Trespassing
Games
Disk
Not
You!
Storage
Email
STOP!!!
Web
Pages
Keep Out
Module 3-1: Understanding Authentication
This module covers the following CompTIA Security+ objectives:
• 2.4 Summarize authentication and authorization design concepts
• 3.8 Given a scenario, implement authentication and authorization solutions
Identity and access management, like most CompTIA Security+ topics, brings a ton
of concepts and specific jargon that serious students need to digest before implementing
systems in the real world. This module explores identification and AAA (authentication,
authorization, and accounting), then looks at concepts of trust, such as authentication
structures and federated authentication.
Identification and AAA
Identification, authentication, authorization, and accounting work together to manage
assets securely. This section briefly reprises what you read about in the Introduction on
core security concepts.
Imagine an asset, a shared resource, as a box. Authentication functions like a lock on
that box. For a user to access the box, he must have some kind of key or credentials to get
through the lock (Figure 3-4). The information in those credentials identifies the user
with respect to that system. (That’s the identification part.) In analogy terms, it’s a pretty
complicated lock that opens different portions of the box depending on the key used.
Authorization determines what the user can do with the contents of the box with
the specific credentials he used. Authorization is nuanced, because of variables in what
people can do. Consider a shared folder on a Windows system in a local area network
(LAN) that contains a single file. You can do a lot to that file. You can view the file,
edit the file, or delete the file. (You can do much more than this, but this is enough for
now.) Authorization defines what a user may do to that file. Think of authorization as a
checklist (Figure 3-5).
03-ch03.indd 155
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
156
Figure 3-4
Authentication as
a lock
You have to get
past me!
Disk
Storage
Figure 3-5
Authorization as
a checklist
This key lets you:
Read folder contents
Modify files
Add files
Delete files
Disk
Storage
Accounting means to keep a historical record of what users do to shared resources.
Look at accounting as a sign-in sheet associated with the shared resource (Figure 3-6).
Identification and Authentication
The typical locked box and key analogy struggles when taken from physical access to
electronic access. Granting access in the physical world, like a door lock on a real door,
works fine because people don’t generally hand out a key to someone they can’t identify.
In the electronic world, how do we identify individual users?
Back in the early days of PC networking—for example, early versions of Windows
that predated NTFS—this problem was simply ignored. Resources such as shared folders
had no associated user accounts. If you wanted to share a folder, you just gave that folder
a single password, which in turn was passed out to everyone to whom you wanted to give
access (Figure 3-7).
More commonly today, user accounts identify individual users. A user account is
generally nothing more than a line in a table (remember the user names in password
03-ch03.indd 156
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-1: Understanding Authentication
157
Figure 3-6
Accounting as a
sign-in sheet
What’s been done
here?
Bob modified file sales.doc.
Janet deleted file stuff.doc.
Fred tried to delete data2.doc.
Penny logged off the system.
Disk
Storage
storage in the previous chapter?) that identifies an individual user by some value, such as
a User Name, UserID, Social Security Number, and so on. Figure 3-8 shows one example
of a user account in Windows Server.
A user account must include some authentication factor(s) or attribute(s) to
provide any kind of security. Identification is by itself insufficient for authentication.
Figure 3-7
Old Windows
shared folder
03-ch03.indd 157
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
158
Figure 3-8 Windows Server user account
An authentication factor or attribute reveals some unique aspect of the identified user.
Passwords are very common but just scratch the surface. Let’s look at authentication
factors and attributes in a lot more detail.
Authentication Factors and Attributes
Authentication systems use different characteristics of identification to identify a user
and validate her credentials. These different methods—factors and attributes—depend
upon the method of identification used. Several different factors and attributes can be
used either separately or, preferably, together. Single-factor authentication uses only one
factor or attribute. Multifactor authentication (MFA) uses more than one factor or attribute. (You’ll also see the term two-factor authentication to describe systems that use two
factors or attributes.) Using more than one factor or attribute at a time provides more
security and represents better authentication.
There are three authentication factors used in computing:
• Something you know
• Something you have
• Something you are
There are four common attributes:
•
•
•
•
Something you do
Somewhere you are
Something you exhibit
Someone you know
EXAM TIP The CompTIA Security+ exam will test you on the difference
between single-factor and multifactor authentication. Single-factor
authentication uses only one factor or attribute; multifactor uses at least two
factors or attributes.
03-ch03.indd 158
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-1: Understanding Authentication
159
Figure 3-9
Knowledge
factor
I know a password!
Something You Know The knowledge factor relates to something you know, typically
used when you identify yourself to a system with a user name and password combination.
You know your user name and password, and use your memory to present them to the
system (Figure 3-9).
Although you use two details for this credential, it is still considered a single-factor
form of authentication because it involves only something you know. This single-factor
form of authentication can be compromised easily if someone gains access to it—in this
case, if they learn your user name and password. If you’ve written them down somewhere
or told someone your user name or password, you have effectively transferred that factor
to the other person, and it could be considered compromised.
Something You Have The possession factor relates to something you have. You
physically possess an object to use as an authenticator. Scanning a gym membership card
to gain access, for example, uses something you have. When used in this manner, the card
alone is a single-factor form of authentication.
More often than not, however, these types of authenticators require some additional
method of authentication. Typically, this could be something you know, such as a
personal identification number (PIN) or password. When used in this manner, the card
and PIN are a multifactor form of authentication. You use two different types of factors:
the possession factor and the knowledge factor.
Smart cards and tokens are probably the most commonly used multifactor form of
authentication that uses the possession factor. Smart cards are plastic cards with electronic
chips in them that contain a limited amount of information related to the user, such as
public and private keys. Smart cards enable users to access facilities, secure areas, and
computer systems.
Physical tokens usually display a complex series of changing numbers. When a token
is used to access a system, the user must also enter a PIN or password known only to her
in conjunction with the token and its own number. The system uses these two factors to
validate the user. Figure 3-10 shows an example of a token.
Something You Are The inherence factor relates to something you are, relying on a
person’s unique physical characteristics that can be used as a form of identification, such as
fingerprints, retinal eye patterns, iris patterns, handprints, and voiceprints (Figure 3-11).
These unique biometric characteristics of a person are difficult to replicate or fake. (See
“Biometrics” in Module 3-2 for more specific details on how organizations incorporate
biometric scanning in security.)
03-ch03.indd 159
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
160
Figure 3-10
Possession factor
142
688
753
I have a hardware
token!
Inherence factors can also be used in conjunction with an additional factor in an MFA
system. Newer laptops and smartphones often arrive with a fingerprint scanner built into
them, for example, and the user must scan his fingerprint and enter a PIN or password
to access the system. Secure facilities may also require fingerprint or handprint factors in
their authentication systems. It’s also not unusual to see multiple inherence factors used
for an even stronger authentication system.
Something You Do Something you do, meaning that when you present your credentials
to the system, you must perform an action (Figure 3-12), is a common attribute that
accompanies authentication factors. The best example of this type of authentication
attribute is when you use a finger or hand gesture on a smartphone or tablet to log in.
The pattern you create using your finger or hand is the something you do. The user
credentials database of the system you access stores that pattern. When the authentication
system confirms that these patterns match, you gain access to the device or system.
Some forms of authentication that use this type of gesture are single-factor if that’s the
only thing you’re required to do to access the system. Other authentication systems may
also require an additional factor, such as entry of a PIN, making it a multifactor form of
authentication.
EXAM TIP CompTIA Security+ objective 2.4 adds another word to describe
the action attribute: something you can do. Describing a potential action as
an authentication attribute seems a little odd, to say the least. Just don’t
miss this on the exam.
Figure 3-11
Inherence factor
03-ch03.indd 160
I have a
fingerprint!
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-1: Understanding Authentication
161
Figure 3-12
Action attribute
I use a pattern!
Somewhere You Are The location attribute relates to your location when you
authenticate. This attribute could use either physical or logical locations and requires
you to be in a certain location when you authenticate to the system (Figure 3-13). From
a physical perspective, for example, in a highly secure facility, you may need to use a
specific workstation, located in a certain room, to authenticate to the system before you
can work on it from any other location. Because you would likely have to authenticate
with other physical protections and controls to get into this room, this very secure form
of authentication would allow only a limited number of people to access the system.
From a logical perspective, a location attribute could be used as an authentication
attribute if you are required to authenticate from a certain device that has a specific
digital certificate assigned to it, or from behind a certain network device, physical port,
or even a subnet. This doesn’t necessarily limit you by requiring authentication from a
single physical location; rather, the logical location with respect to the network and the
authentication system being used would be important. This might ensure that you do
not attempt to authenticate from an untrusted network or device.
Something You Exhibit Something you exhibit can refer to something neurological
that can be measured or scanned; it could be a personality trait or a mannerism. Speech
analysis systems could very easily identify Barak Obama from the cadence of the way he
talks, for example, with distinctive pauses. This is not a commonly used attribute today
in cybersecurity.
Someone You Know The someone you know attribute reflects a trust relationship.
John Bob—known and trusted by the system—vouches for Rebecca Sue.
Figure 3-13
Location
attribute
You Are Here
03-ch03.indd 161
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
162
NOTE An additional authentication attribute that you won’t see on the
CompTIA Security+ exam is temporal, relating to somewhen you are.
Systems can set specific login times and restrict others, for example. You’ll
definitely hear arguments that the temporal attribute is a control, not an
authentication attribute, and thus belongs in authorization.
Knowledge-Based Authentication
In knowledge-based authentication (KBA), users provide answers to questions or shared
secrets to prove their identities. You’ll see KBA implemented in scenarios involving
online banking systems, for example, where users authenticate (or recover a forgotten
password) by stating common authentication factors (such as name) and also answer
questions presumably only they would know, such as “What was your first pet’s name?”
or “What was your first car?” The use of pre-agreed or pre-shared secrets is also known
as static KBA.
Dynamic KBA, in contrast, uses information about the user gleaned from public
data—what the authenticating system can gather from a Web search—and private data,
such as a credit history. A lack of shared secrets makes dynamic KBA more secure than
static KBA, though it’s more difficult to implement.
NOTE As you progress through this chapter, keep in mind the balance
among cost, implementation time, and expertise required to put systems
in place. The Woodland Heights Community Bank might have the need for
multifactor, layered authentication plus serious physical controls. Jane’s
coffee shop Wi-Fi network, on the other hand, might need a far lighter
touch. Security folks weigh cost versus need when recommending and
implementing systems.
Authorization
Authentication gets you in the door of a shared resource; the key unlocks the box. Authorization defines what you can do once you authenticate. Users have rights or permissions
to do certain things to shared resources. This presents some unique challenges because
different resources often have wildly different permissions based on the type of resource.
To get an idea of how resources can vary, let’s consider two different types of resources:
a printer and a Web page. Figure 3-14 shows permissions you can assign to a shared
printer in Windows. Note three permissions: Print, Manage this printer, and Manage
documents. These permissions make sense, as these are the actions we need to do to
a printer.
Compare printer permissions to the permissions of a Web server program, shown in
Figure 3-15. A simple HTTP server only has two permissions: allow access or deny access.
The downside to applying permissions to user accounts is that users and their
permissions change over time. People quit, employees get promoted, customers leave,
students graduate, and so on. Keeping up with the process of creating/deleting users and
adding/changing permissions when people’s situations change can be an administrative
nightmare.
03-ch03.indd 162
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-1: Understanding Authentication
163
Figure 3-14 Printer permissions in Windows 10
Figure 3-15 Web permissions in Internet Information Services
03-ch03.indd 163
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
164
Figure 3-16 Groups in FileZilla
Groups streamline this process by organizing similar users into collections. Applying
permissions to groups lowers administrative work. When a user needs permission
changes, you can assign the user to the group with the appropriate permissions. Almost
every type of authorization uses the idea of groups. Figure 3-16 shows group settings for
FileZilla, an FTP server program.
Authorization goes deeper than simply users, groups, and permissions, but this level of
detail should suffice for now. We’ll dive deeper into authorization throughout this chapter.
NOTE We touched on onboarding and offboarding policies way back in
Chapter 1. Such policies can have a dramatic impact on organizations.
That’s why security staffs spend a lot of time analyzing and reviewing
decommission and termination policies and procedures.
Accounting
Accounting or auditing enables security professionals to keep track of the accesses that
take place on any given resource over time. Windows enables administrators to set
audit policies on many aspects of the computer. Figure 3-17 shows the Local Security
Policy snap-in on a standalone Windows 10 computer. Note the categories of audits in
the background; the window on top shows auditing set to track failed logon attempts.
Windows domain administrators would use the Group Policy Management Console
(GPMC) to audit domain-level access to resources.
03-ch03.indd 164
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-1: Understanding Authentication
165
Figure 3-17 Local Security Policy snap-in
The technologies that support authentication, authorization, and accounting are known
as AAA. We’ll delve into these technologies in more detail in later chapters, but for now make
sure you understand that accounting/auditing is very much a part of access management.
EXAM TIP You can use Event Viewer in Windows to view logs of what you’ve
set the computer or domain to audit. Pay attention to the wording of the
question to know whether you’re setting audit policy or viewing logs of
audit events, then pick the right tool.
Trust
Access management builds on the concept of trust in several ways. First, the system must
trust that the user presenting credentials is in fact the user represented by those credentials. Second, the system must trust the integrity of the user credentials database, in that
the data is current and correct and the system is functioning normally and returns the
03-ch03.indd 165
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
166
correct information so the user can be validated. Third, the system must trust the authenticity of the hardware or software that generated the credentials.
Organizations must trust their own authentication systems and, sometimes, those
of another entity or organization. In this section, we’ll discuss authentication across
organizational boundaries, both from within and outside an organization. This
authentication often involves trust relationships that must be established between hosts,
systems, and other organizational entities.
Centralized and Decentralized Authentication
When an organization manages all its user accounts, credentials, and authentication systems as one unified system, this is said to be centralized authentication. In a centralized
enterprise authentication system, credentials are stored in one database and user accounts
have uniform security policies and requirements that apply across the entire organization. The authentication system performs authentication services for all systems, data,
and resources across the enterprise. Often, you will hear the term single sign-on (SSO) in
relation to a centralized system; this means that a single set of user credentials is used to
access resources across the enterprise. Whether a user is allowed or denied access to those
resources depends on the authorization and access control policy in place, not the user’s
credentials in the authentication process. In a centralized model, all hosts and resources
trust the central credentials database to take care of authenticating the user for them;
after that, it’s merely an issue of whether or not that user has the correct rights, privileges,
and permissions to access a resource or perform an action.
By contrast, in a decentralized authentication model, authentication occurs on a persystem, per-host, and even per-resource basis. No centralized authentication mechanism
serves to validate the user’s identity first; each system or resource makes an authentication
decision based upon its own user credentials database or access control list.
In a small office setting, for example, each user may be an administrator for her own
workstation and have the ability to create accounts on that workstation. If another user
wants to access a shared folder on another user’s workstation, he would need a separate
user name and password—on that workstation—just for that resource. It usually won’t
be the same user name and password he uses for his own workstation; even if an effort
is made to duplicate these across workstations, both accounts still reside in separate
databases on each workstation and are therefore not technically the same. If a password
in one set of credentials changes, for example, this doesn’t guarantee that the other set of
credentials on the other workstation will be updated as well.
Decentralized systems do not trust each other’s credentials database or authentication
mechanisms; they require a user to authenticate using his own systems and credentials.
Decentralized authentication also means that user account and password policies will be
different as well.
Trusts and Federated Authentication
Outside of organizational boundaries, users must often be authenticated to systems within another organization’s infrastructure. Examples of this include business partner relationships, where employees need to access documents in the partner company’s network,
or university students who must access an affiliate university’s shared library resources.
03-ch03.indd 166
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
167
In these examples, each organization may have its own centralized authentication system
that trusts its own users and systems but not users outside the organization’s boundaries.
Two ways of allowing outside users to access resources internal to an organization, and
authenticating those users, are though trust relationships and federated systems.
Authentication systems can establish a trust relationship, enabling users from each
system to authenticate to the other’s resources. The authentication system in one
company, for instance, may trust the authentication decisions (and vice versa) of a
partner company, allowing its users to access sensitive resources such as shared folders
and files. Trusts can be one-way or two-way (bidirectional); two entities may trust each
other’s authentication systems, but the relationship can also be such that entity A trusts
entity B’s authentication systems and decisions, but the reverse is not true.
One variation on this trust relationship is called a transitive trust. In this type of
trust relationship, there are more than two entities; if Company A trusts Company B’s
authentication systems, and Company B trusts Company C, then Company A may also
trust Company C’s systems by default. More often than not, though, trust relationships
between entities must be explicitly established instead of defaulting to transitive trusts.
A federated system involves the use of a common authentication system and credentials
database that multiple entities use and share. This ensures that a user’s credentials in
Company A would be acceptable in Company B and Company C, and only access
permissions would be the determining factor in accessing systems and data. Windows
Active Directory is a good example of a federated system in practice; user credentials
from different domains could be used in other domains if they are all part of the same
Active Directory forest.
EXAM TIP The CompTIA Security+ objectives refer to use of federated
systems as federation.
Attestation
Strong MFA schemes can incorporate attestation into their authentication. Attestation
assures that the hardware or software that created the authentication factors matches the
standards and protocols it’s supposed to use. Your key might look great, but was it made
on a Cyclon RXP Key machine running genuine BluePart software? As you might expect,
enabling attestation requires a lot more work and upkeep.
Module 3-2: Authentication Methods
and Access Controls
This module covers the following CompTIA Security+ objectives:
•
•
•
•
03-ch03.indd 167
2.4 Summarize authentication and authorization design concepts
3.7 Given a scenario, implement identity and account management controls
3.8 Given a scenario, implement authentication and authorization solutions
5.3 Explain the importance of policies to organizational security
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
168
Identity, authentication, and authorization enable secure access of resources, as you
know from the previous module. This module explores the nuts and bolts involved in
implementing these schemes. We’ll start with authentication methods, explore biometrics,
and finish with access control schemes employed in authorization.
Authentication Methods
Organizations need real-world methods, real-world mechanisms to identify, authenticate, and authorize. They need tools that verify the authentication factors (something
you know, something you have, and something you are) you learned in Module 3-1. Let’s
explore the technologies used to implement authentication.
NOTE There are a lot of authentication methods, but the CompTIA Security+
objectives only cover a few of the most important and common ones. In
addition, the exam goes into great detail on some of these methods, while
barely touching others. To make sure we cover the exam objectives, some of
the methods listed in this module (user name/password is a great example)
get quite a bit more coverage later in the book.
User Name/Password
The user name/password combination has been around from the earliest days of authentication. You’d be hard-pressed to find an application or operating system that doesn’t
use user name/password as the primary authentication mechanism, from logging into a
Linux system to connecting to a game server (Figure 3-18).
Figure 3-18 Author’s Steam account login
03-ch03.indd 168
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
169
Operating systems rely on user accounts, secured by user name and password, for basic
file system security. The permissions associated with a user account say what that user
can do with data stored on the system, such as adding, deleting, or taking ownership.
User accounts are a fundamental authentication mechanism for every operating system.
Many applications likewise rely on user names and passwords for authentication. You
can set up database programs, for example, to require an additional login before a user
can access or manipulate data. Such fundamental database security begins with a user
name and password.
User accounts, user names, and passwords are so important, both to the real world and
to the CompTIA Security+ exam, that Module 3-3, “Account Management,” is dedicated
to user accounts, groups, permissions, and the many aspects of user name/password used
for authentication and access control.
There’s a good reason that just about everything turns to user name/password for
authentication. User name/password is fast, it takes little storage on systems, it leans
completely on the something you know authentication factor (so nothing to lose or
accidently drop in a toilet), and possibly most importantly, people are used to entering
user names/passwords for just about anything.
EXAM TIP Expect a question on the CompTIA Security+ exam on static
codes for authentication. These refer to personal identification numbers
(PINs) that you use to log into a Microsoft account, for example, or to finish
authenticating with an automated teller machine (ATM) at the bank. Most
smartphones require a static code for login (i.e., authentication).
Password Vaults
Relying on user name and password for logging into a single system or application works
well enough for many situations, but consider an all-too-familiar scenario where a user
needs to log into multiple applications and keep track of multiple passwords. Although
a lot of Web applications allow you to establish an identity and verify that identity using
a Google or Facebook account that functions similar to single sign-on (discussed in
Module 3-1), that’s not always practical or desired.
Many organizations and individuals turn to applications called password vaults to
retain all the passwords—or password keys—for you. A typical commercial password
vault such as Bitwarden can store hundreds of discreet passwords securely. All you have
to remember is your master key (and to make very certain it’s robust). The downside to
password vaults is that they need to be installed on individual systems and don’t give you
the ultimate in flexibility.
One-Time Passwords/Tokens
In any form of authentication, the best type of password is one that’s used one time then
never again. A one-time password (OTP) is generated and used only once, and it is never
repeated. But how can two separate parties somehow magically know the same password
if it’s only to be used once and then thrown away?
03-ch03.indd 169
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
170
The trick to using an OTP is there must be some type of independent, third-party,
separate-from-the-two-sides-of-a-secure-communication tool that generates these
passwords/keys in such a way that both sides of a communication trust the third party.
This third-party password generator is known generically as a token or token key. Hardware
tokens are physical devices such as a USB security key linked to a specific account and
plugged into the client computer. Software tokens are applications that generate OTPs.
Figure 3-19 shows a software token used for a World of Warcraft account.
People use the WoW authenticator for a specific game, but you can also use general
authentication applications as a part of two-factor authentication at various Web sites. The
https://login.gov Web site, for example, enables users to add one of various apps to their
smart devices, such as Google Authenticator, Authy, LastPass, or 1Password, to create
that second authentication factor.
Hardware and software tokens are great examples of one-time passwords in action.
The OTP provided by a token is used in conjunction with another mechanism, such as a
regular password, to provide better security in a multifactor environment.
Another example of one-time password use is during a secure communications session,
where the secure protocols automatically generate a session key that is used only during
that session. The session key could be considered a one-time password. Diffie-Hellman
Ephemeral (DHE) keys are a great example of OTPs.
Figure 3-19
WoW software
token
03-ch03.indd 170
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
171
Many security systems use standard communication methods to convey an OTP.
Common systems send an OTP via short message service (SMS) to a smartphone, for
example, or push notifications to a computer. Other systems make an automated voice
phone call to verify and authenticate.
TOTP A one-time password, like any password, is going to work whether you use it
instantly or later, so it’s important to give a time limit to any OTP you generate. Also,
given that no date and time is ever the same, time is a great factor to help generate totally
unique OTPs. A time-based one-time password (TOTP) uses time as a factor to assist in
generating the OTP. In the previous example regarding a token, the TOTP changes very
often, sometimes after only a few seconds. Therefore, it must keep its time synchronized
exactly with the authentication database. If the user is even one or two seconds off from
using the correct TOTP displayed on the token, authentication fails.
Normally, the user has a set number of seconds to input the correct password before
it changes and another one must be used. This has many advantages, including the
prevention of replay attacks. Another advantage is that it can be very difficult to predict
TOTPs, based upon the time factor that is input into the algorithm used to create them.
This can make it very difficult for an attacker to guess what TOTPs might be used.
Tokens are not the only devices that can use TOTPs. Google, using strong authentication
practices, for example, may send a TOTP to a personal device, such as a smartphone, that
you would be required to have in your possession during authentication. Your Google
account may require you to input this TOTP within a certain amount of time, and after
you receive a text message with the TOTP, you would input this password, usually a set
of digits, into the corresponding field on the screen. You would then be authenticated
and allowed to access your Google account. Figure 3-20 shows TOTP codes for different
applications on a smartphone.
EXAM TIP The CompTIA Security+ exam may ask about using one-time
passwords. OTPs typically are generated by tokens or mobile devices to
facilitate multifactor authentication.
HOTP One algorithm used to generate OTPs is the HMAC-based one-time password
(HOTP) algorithm. If you recall from Chapter 2, the Hash-based Message Authentication
Code (HMAC) provides for message authentication and data integrity. HMAC can use
either MD5 or the SHA series of hashing algorithms and various key sizes. In the case
of HOTP use, the user is authenticated against the centralized authentication database,
and the authentication server calculates the HMAC value and sends it to the user via an
authentication device such as a token. Several popular authentication mechanisms that
use mobile devices, such as smartphones, make use of HOTP.
Certificate-Based Authentication
Asymmetric encryption, using the exchange of public keys, is a powerful authentication
tool. The exchange of public keys, especially in the form of robust PKI certificates, makes
a level of identification that’s hard to beat (Figure 3-21).
03-ch03.indd 171
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
172
Figure 3-20
TOTP codes from
a smartphone
The challenge to using tools like certificates is that they are tricky to carry around
for individuals. Since a certificate is nothing more than binary data, there needs to be
a method for individuals to carry their certificates. In such a scenario, smart cards, PIV
cards, and common access cards ride to the rescue for certificate-based authentication.
Smart Cards Adding a storage chip to a standard credit card–sized plastic card creates a
way for an individual to store personal information, a smart card. The term “smart card”
It is you!!!
Figure 3-21
Certificate as an
identity tool
ate
Certific
03-ch03.indd 172
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
173
Figure 3-22
Smart card contacts
isn’t a standard by itself, although a number of standards for data organization, physical
dimensions, contact versus contactless, voltage, and so on fit under the term.
Figure 3-22 shows a few examples of smart card–enabled credit cards. Note the slightly
different contact types.
Smart cards can store any binary data, not just certificates. Some applications use
smart cards that store symmetric keys, digital signatures, PINs, or personally identifiable
information (PII). There is no law of physics or law of humans that says how you use a
smart card or what is stored on that card. Two NIST documents—Special Publication
800-78-4 and FIPS 201-2—provide frameworks for the adoption, organization, and
administration for smart cards.
NOTE The most common symmetric key type used on smart cards is 3DES;
the most common asymmetric key type is RSA.
Personal Identity Verification Card Smart cards for authentication certainly predate
the NIST’s involvement, but there were no well-received standards. Almost anyone
using smart cards up until the early 2000s used vendor-specific systems and, as you
might imagine, there was little to no interoperability. The framework provided by Special
Publication 800-78-4 and FIPS 201-2 and the subsequent adoption of that framework
by civilian departments in the US federal government spurred the industry to create a
single method to use smart cards for identity and authentication.
The result of these publications is the Personal Identity Verification (PIV) card. If you’re
a civilian and you work for or directly with the US federal government, you almost
certainly have been issued a PIV card (Figure 3-23).
PIV card standards provide a wide range of interoperability, ease of administration,
tremendous flexibility, and rock-solid access control. The PIV standard gives individual
agencies quite a bit of leeway as to exactly what is stored on a PIV, but it gives very strict
rules on how that data is stored if you choose to use it. This includes physical as well as
electronic data. PIV cards must be constructed and printed to strict rules. Specific areas
of the card are reserved for a head shot photo, expiration date, smart chip, and so forth
(Figure 3-24).
03-ch03.indd 173
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
174
Figure 3-23
PIV card
Figure 3-24 PIV card layout (courtesy NIST FIPS 201-2)
03-ch03.indd 174
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
175
Common Access Card The US Department of Defense has its own version of PIV card
called the common access card (CAC). CAC builds on the PIV standard, adding different
versions for active military, civilian employees, contractors, and so on.
Biometrics
Biometrics use a person’s physical characteristics (something you are—the inherence factor)
to provide strong user identification and verification. The CompTIA Security+ exam
objectives list numerous biometric factors, such as fingerprints, retina and iris patterns,
voice patterns, and facial features. These physical characteristics are unique to every
individual and are very difficult to mimic or fake. This makes biometric authentication
an extremely secure form of authentication in theory, although sometimes the methods
used to implement it are not as secure and can be circumvented. You should understand
some terms and concepts in biometric authentication for the exam and as a security
professional.
Fingerprints
Every person has unique fingerprints, making those swirls and lines perfect for biometric
authentication. Fingerprint scanners, like the one shown in Figure 3-25, are common in
many keyboards, laptops, and mobile devices.
Figure 3-25
Android fingerprint scanner
03-ch03.indd 175
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
176
Figure 3-26
Retinal scanner
in Half-Life game
Retina/Iris Patterns
The human retina and iris have unique patterns that lend themselves to identification.
Retinal scanners for access controls date back to the early 1990s, but their cost relegated
them to extremely secure environments. They’ve made a huge impression in popular
culture (Figure 3-26).
Improvements in camera resolution, computing power, and hardware pricing brought
iris scanners into the forefront. Iris scanners are far more common than retinal scanners,
while providing almost the same degree of accuracy (Figure 3-27).
Voice Recognition
Voice recognition for speech to text holds a strong niche for dictation. Most mobile
devices—like smartphones—and personal assistant hardware use voice recognition
tools such as Google Assistant, Amazon Alexa, and Apple Siri. But voice recognition
as authentication hasn’t gained any real acceptance due to its low accuracy compared to
other biometric technologies.
Figure 3-27
Iris scanner
03-ch03.indd 176
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
177
Hello Mike Meyers
Password
Sign-in Options
Figure 3-28 Windows Hello
NOTE
It’s a lot easier to fake a person’s voice than a person’s iris pattern.
Facial Recognition
Facial recognition has become a popular and powerful authentication method for several
applications. The Windows Hello API, built into every version of Windows 10, is a facial
recognition tool (Figure 3-28). Most facial recognition tools require extra functionality,
especially cameras that include infrared so the camera can differentiate between a real
face and a photograph.
Vein Matching and Gait Analysis
Two biometric areas show promise in authentication, though they’re not as widely implemented as the five physical characteristics previously discussed: vein matching and gait
analysis. Vein matching uses the patterns of a person’s blood vessels to identify that person. The patterns in the palm of the hand, for example, provide data 100 times more
unique than fingerprints, can be scanned without touching the skin, and ignore damage
to the skin. Vein-matching systems are in use in some hospital systems around the globe.
Gait analysis measures the unique way a person walks or runs by using machine vision–
based tools—external cameras, in other words—or via the sensors built into existing
smartphones. This latter technology shows a lot of promise, because it can tap into
the accelerometer every current smartphone has to authenticate the user continuously.
03-ch03.indd 177
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
178
The current systems only offer approximately 75 percent accuracy, so more work needs
to be done, but gait analysis shows promise.
Biometric Efficacy Rates
Biometric systems are not foolproof. The efficacy rates of various systems depend on a lot
of factors, such as error rates, security, privacy, user acceptance, and usability. The previous discussions of specific physical characteristics mentioned some of these factors, such
as the difficulty of getting affordable and acceptable retinal scanners. Two other specific
terms describe efficacy rates: false rejection rate and false acceptance rate.
The false rejection rate, or FRR (also known as a type I error), is the rate at which a
biometric system erroneously rejects authorized users who should in fact be identified
and authenticated as valid users. The false acceptance rate, or FAR (also known as a type
II error), is the rate at which a biometric system erroneously identifies and authenticates
unauthorized individuals as valid users. Both error rates can be dealt with by tuning the
relative sensitivity of the biometric system in question; however, tuning it too much
to reduce one type of error usually results in increasing the other type, so a trade-off
is involved. This trade-off is usually tuned to the level of the crossover error rate (CER),
which is the point at which one error rate is reduced to the smallest point that does not
result in an increase in the other error rate. Figure 3-29 illustrates this concept.
EXAM TIP The CompTIA Security+ exam may ask questions about the
difference between the false rejection rate and the false acceptance
rate in biometrics. The FRR is the rate of errors from incorrectly rejecting
authorized users. The FAR is the rate of errors from incorrectly authenticating
unauthorized users. The crossover error rate (CER) is the point at which the
system must be tuned to reduce both types of errors effectively without
increasing either one of them.
Figure 3-29
The crossover
error rate
Sensitivity
100
False Rejection Rate
Crossover Error Rate
False Acceptance Rate
0
20
100
Errors
03-ch03.indd 178
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
179
Authorization and Access Control Schemes/Models
Authentication verifies identity and lets a user in the door to access systems in an enterprise. Authorization determines what that user can do once she’s inside. Access controls
further refine what that user can do based on specific security policies. We talked about
security policies in general way back in Chapter 1, but let’s take it a step further now.
A familiar (and perhaps overused) example sets the scenario for this section: a bank.
The Woodland Heights Community Bank serves the good people of Woodland Heights.
Security policies determine which employees have access to information and assets of the
bank. Credential policies define things like how personnel log into the network (password
policies, for example), what kind of access third-party companies get, and how service
accounts and administrator/root accounts are set up and given to people. Credential
policies also apply to devices accessing the network, such as what remote Computer A
can share with, store on, and back up to internal Server B.
Policies govern which people get access according to a set of rules. The bank tellers,
for example, should be able to log into the main system and have access to client records.
That way they can accept money and put it into the proper account, for example, and
give money to verified users from the proper account. Bank tellers wouldn’t have access
to the security camera records; the security team and management would have that
additional access. Management would have access to the vault with all the gold bullion,
but additional controls would restrict and record their access too.
This process of determining who gets what is the basis for the principle of least privilege:
only give access to people who need access; restrict access for those who do not. All of this
leads to specific access controls that enforce the polices. And all of that is encompassed
in the process of authorization. Got it? Enough preamble. Let’s get to the meat (or tofu,
depending on your preference).
The introduction of electronically stored data in the early days of computing
compelled IT entities to start thinking about ways to organize access to ensure good
security. Several entities developed access control schemes, but it wasn’t until the US
Department of Defense Trusted Computer System Evaluation Criteria (TCSEC) “Orange”
book (Figure 3-30) that robust models emerged.
The TCSEC quantified several well-known access control schemes; over time, more
have been added. Many access control schemes are used in the industry; the CompTIA
Security+ exam objectives list several: mandatory access control, discretionary access
control, role-based access control, rule-based access control, attribute-based access control,
and conditional access. We’ll tack physical access control on the end for completeness.
NOTE The international Common Criteria standard replaced TCSEC way
back in 2005. That was your history lesson for the day. All the access control
schemes/models listed here apply.
Mandatory Access Control
Mandatory access control (MAC) applies to highly secure environments, such as defense
or financial systems. With mandatory access control, a user is granted access to a system
03-ch03.indd 179
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
180
Figure 3-30
TCSEC cover
or data based upon his security clearance level. Data is assigned different labels that
designate its sensitivity and the security clearance required to access it. Administrators
grant users, who also have security clearances assigned to their accounts, access to specific
systems or data, based upon their need-to-know requirements. Even on the same system,
users who have the requisite security clearances don’t always get access to all of the data
at the same clearance level. Each user’s job requirements must also indicate a valid need
to access the data. MAC models are typically either confidentiality or integrity models. A
confidentiality model emphasizes protection against unauthorized access, and an integrity
model emphasizes the need to protect all data from unauthorized modification.
Discretionary Access Control
Discretionary access control (DAC) is what most users encounter on a normal basis.
Microsoft Windows, as well as macOS and Linux systems, typically use DAC in both
standalone and network environments. With DAC, the user who has created or owns an
object, such as a file or folder, has the discretion to assign permissions to that object as
she sees fit. The file system, such as NTFS in Windows, provides the security to do such
filesystem permissions. (Note that CompTIA removes the space, so filesystem permissions,
03-ch03.indd 180
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-2: Authentication Methods and Access Controls
181
rather than file-system permissions.) Administrator-level access isn’t required to assign
permissions; any user who creates or owns the resource can do so. Discretionary access
control is a very flexible model, and users can assign rights, permissions, and privileges
both to individuals and to groups of users, which can be logically created in the system
based upon different functional or security needs.
EXAM TIP The discretionary access control model is the only model that
allows normal users to dictate who has permissions to objects such as files,
folders, or other resources.
Role-Based Access Control
Role-based access control, on the surface, sounds like access control using groups, but
this isn’t necessarily the case. Although DAC models can be used to assign permissions,
rights, and privileges to traditional groups, role-based access controls almost exclusively
use predefined roles rather than groups or users. These predefined roles must already exist
in the system, and users must be assigned to these roles to have the access levels granted
to the roles.
A role-based access control model is not discretionary. The creator or owner of a
resource cannot necessarily assign a user to a particular role simply to give him access.
Normally an administrative-level user must assign a user to a role. Roles might include
supervisory roles, administrative roles, management roles, or data change roles that have
an increased level of access to systems, data, or other objects.
Rule-Based Access Control
Rule-based access control is a model that is rarely seen as a standalone type of access control
model. It’s typically integrated with other access control models, such as discretionary
or mandatory access control. In rule-based access control, all accesses granted in the
system are based upon predefined rules, which might include restrictions on when, how,
where, and under what circumstances a user may access a system or resource. A rule,
for example, may state that between the business hours of 8 a.m. and 11 a.m., only
the accounting department may have write access to a particular database, but between
1 p.m. and 4 p.m., users in accounting, marketing, and production may have read and
write access to the database.
Rules may apply to users or groups of users, and they may even specify the workstations
that must be used, the type of permissions that apply to the resource, and so on. An
example of rule-based access control is that used in more advanced firewalls, which lists a
series of rules that users, network devices, hosts, and network traffic must meet in order
to access other hosts and resources on the network.
Attribute-Based Access Control
All of the previous access control models share a user-centric attitude toward access. Users
are important, but limiting. In the last few years a number of more granular, more powerful access control models have been adopted. The attribute-based access control (ABAC)
03-ch03.indd 181
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
182
model replaces users with attributes. While an attribute may be any form of identifying
information, it’s commonly divided into functional groups, such as subject attributes
(name, clearance, department) or object attributes (data type, classification, color). We
then connect policies to the access control. When someone wants to access data, ABAC
uses preset rules that consider attributes and policies to make a decision about access.
Conditional Access
Conditional access policy means to grant specific users or groups access when certain (usually dire) conditions occur. A conditional access policy might apply in case cellular networks go down in an area and two-factor authentication becomes impossible. You’ll see
this sort of policy implemented in a lot of modern systems, especially cloud-based systems like Microsoft Azure. Azure offers various “as a service” offerings, such as platform
as a service (PaaS), software as a service (SaaS), and infrastructure as a service (IaaS).
Having aggressive policies in place to deal with catastrophic circumstances like floods
and fires makes perfect sense when your product should be available to customers always.
Microsoft 365—as in Office 365, a powerful productivity suite of applications—
offers a good example of a current security architecture that includes a layered approach
and multiple controls. At the heart of the system is the data storage and configuration,
controlled by administrators, privileged accounts. That heart is protected by what’s called
privileged access management (PAM), a control to isolate or limit the affect a compromised
privileged account can have on the overall system. Layered on that is conditional access.
Layered on that is RBAC. In practice, this layered security protects the system from abuse
and the users from loss.
Physical Access Control
Physical access control describes the mechanisms for admitting and denying user access to
your space. This applies to doors, door locks, and facilities in general. More specifically,
the term refers to the objects used to enable users to gain secure access. Smart cards,
discussed previously, can function as physical access control mechanisms. Proximity cards
rely on a different frequency, but function similarly. Another typical tool is a key fob
(Figure 3-31). These are used at places like gyms that allow 24/7 access.
Module 3-3: Account Management
This module covers the following CompTIA Security+ objectives:
• 3.7 Given a scenario, implement identity and account management controls
• 5.3 Explain the importance of policies to organizational security
User accounts and passwords provide the bedrock of identity and account management
control. This module explores user account types, issues with mingling accounts on
a single machine, and managing permissions. We’ll also analyze account policies and
account administration best practices.
03-ch03.indd 182
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
183
Figure 3-31 Key fob
User Accounts
User accounts provide a method to identify, authenticate, and authorize individual users
to a resource. In a common scenario, you have some type of server software offering a
resource and some type of client software trying to access that resource (see Figure 3-32).
NOTE Server software is not necessarily running on the same physical
computer as the resource it shares, although it often does.
I access
shared
resources.
I provide
access to my
shared resources.
Resource
Resource
Resource
Client Software
Server Software
Shared Resource
Figure 3-32 Client, server, and resource
03-ch03.indd 183
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
184
Give me access to
your shared
resources!
User name and
password please!
Resource
User Database
User na
me
and
PASSW
ORD
Melissa,
a3^dkf2cxvb
Resource
Stephen, j4sam1&fs8)4
Michael, e32*$gHfsQ1
Penny, p&djks$ks@2
Resource
Figure 3-33 Authenticating to a server
User accounts are data structures, usually stored on the serving system, that store two
discrete features: a unique identifier (a user name) that identifies the user and a shared
secret (a password) used to handle the authentication (Figure 3-33).
Assuming a successful login, the client authenticates and can access any resource the
server allows. The server issues to the client software some form of access token. The server
software uses the access token to handle the authorization, defining the permissions the
user has to the shared resources via some form of access control list. Figure 3-34 shows
an access control list as attributes assigned to each resource.
NOTE
In Windows, the access token is known as a security identifier (SID).
Note that when you run a server offering shared resources, sometimes there are
housekeeping or security issues—issues that have nothing to do with the resources
n
ke a
To 13
ss e2
ce 5f
Ac 2c5
1a
Resource A
1a2c55fe213a
read, write, execute
Resource B
1a2c55fe213a
read
Resource C
read No listing for 1a2c55fe213a here so
no permissions to this resource.
Figure 3-34 An access token handles authorization.
03-ch03.indd 184
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
185
themselves, but rather the server as a whole—that you must deal with to support good
authentication and authorization. For example, what if the server cares about the user’s
password length? We call these rights or privileges, and we’ll see more of these shortly.
Account Types
Serving systems that employ user accounts organize their accounts into different types
to help categorize their use and apply the principle of least privilege discussed back in
Module 3-2. You should know these user account types: user, administrator/root, privileged, service, and guest.
User The user account is created for and allocated to the people needing access to shared
resources. In a perfect world, every individual needing access to resources has his or her
own user account, although sometimes there are exceptions.
Administrator/Root Every serving system, in particular every operating system, has an
account that has complete power over the resource as well as the complete serving system.
This super account is often automatically created when the OS is installed. In Windows
this account is called administrator (often shortened to admin); in macOS and Linux/
UNIX, this account is called root.
The admin/root account is powerful. It has complete and total access to all resources
on the serving system. It has access to all permissions to the system. In general, avoid
using these powerful accounts unless you are performing a job that requires them.
Privileged A privileged account sits between a user account and an admin/root account.
We generally create privileged accounts to delegate some aspect of system or account
management. For example, an admin might assign the right to update software to a user
account, making it privileged.
Service In some cases individual processes, not actual people, need rights and/or
permissions to a serving system. A backup program, for example, might need read access
to any file on a computer to make a proper backup. In these cases we create (or the
operating system automatically creates) service accounts.
NOTE Service accounts usually aren’t held to password complexity or
password changing controls, making them a vulnerability to protect. They’re
often overlooked or ignored and thus make a great entry point for bad guys.
Guest Guest accounts have minimal rights and privileges, often used for temporary
access to resources. In most cases guest accounts are premade by operating systems, and
in almost every case they are disabled by default. Note the down arrow on the guest
account in Figure 3-35 showing that it is disabled.
Mingling Accounts
Sometimes it’s impossible or impractical to assign a single user account to every individual in your organization. Two important considerations in managing accounts are
the use of multiple accounts, usually by one individual, and the use of shared accounts,
03-ch03.indd 185
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
186
Figure 3-35 Disabled guest account on Windows 10 Professional
which may be used by multiple individuals. In some circumstances, the use of multiple
user accounts, or even shared accounts, may be required. In these cases, we have to balance this functionality with security.
Multiple Accounts Normal user accounts are allowed to perform typical user actions,
such as editing documents, checking e-mail, and performing daily work. Higher-level
account privileges on the host or network may be required by administrative-level or
privileged users because of their duty or job position requirements. But if we assign the
normal user account higher-level privileges, it increases the potential for bad things to
happen. First, the user could routinely abuse his privileges. Second, if a malicious entity
obtains the user’s account and password, she could perform harmful actions using those
elevated privileges. Finally, if the user is logged into the system with that privileged account,
any malware or software that requires elevated user privileges can take advantage of that
account, potentially taking harmful and sometimes unknown actions on the system.
The answer to this problem is through the controlled use of multiple accounts—in other
words, a user would have a normal user account with lower-level privileges, plus a second
user account with very specific higher-level privileges. The user would use her lower-level
account to perform routine duties—actions such as accessing e-mail and files, editing
documents, and other actions that require no special privileges. When the user needs
to use higher-level privileges, such as creating accounts, installing devices, and updating
03-ch03.indd 186
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
187
software, she could authenticate to the privileged account and log out of the account
when the action is complete. This way, the user restricts her use of the privileged account
only to the times when it is needed, and she is not constantly authenticated as a privileged
user. This reduces the attack surface on the system or network and the possibility of those
privileges being abused. It also makes it easier to hold the user accountable for any actions
performed using those higher-level privileges by auditing those accounts.
Some general rules for maintaining multiple accounts include the following:
• Use different login names, different passwords, and different permissions and
privileges for both accounts.
• Different group assignments should be made for those accounts, plus a higher
degree of auditing of their use.
• Users should not stay logged into the system using privileged accounts; they
should be allowed to log into the accounts only when they need them.
• Users should have to follow a process of logging in and authenticating to the
system with those accounts before they are allowed to use them.
• Users should be allowed to perform only certain actions while they are logged
into those accounts and should be required to log out when they’re done.
• Audit multiple accounts, particularly privileged ones, periodically to determine
current needs and proper use. Too often, users can get a little lazy and stop using
their “lesser” account. Regular audits should keep such misbehavior minimized.
Shared Accounts In a shared account, several users can log in using the same user
name and password for the account—in other words, several people can access the same
account. You can quickly see how sharing accounts could cause issues with accountability
and non-repudiation. If someone used that account to change file permissions, delete
data, or even create another user account with elevated permissions, who would you trace
the action to? The abuser could be anyone who has access to the account and knows its
user name and password. Even strictly auditing the account would not tell you who used
it (Figure 3-36).
Figure 3-36
Not me! Must
have been the
other User22!
03-ch03.indd 187
We are all User22!
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
188
Don’t use shared accounts/credentials (referred to as shared and generic accounts/
credentials in CompTIA Security+ objective 3.7), period. They represent a gigantic security
hole. Administrators can always take over in a pinch, so having multiple people able to
access the same systems with the same account credentials is a poor security practice.
Although they should be avoided whenever possible, shared accounts should be
carefully controlled if they are used. Anyone who has access to the shared account should
be documented and briefed on its care and use. Some systems may allow a user to be
logged in as a normal user and then authenticate to the shared account. In this case, the
system may audit the use of the shared account, the time it is used, the actions performed
with it, and the authenticating user, thus ensuring accountability. If the system does not
have this capability, users should have to log their use of a shared account manually, as
well as what actions they took while using it. These manual and system logs should be
scrutinized carefully and often to make sure that people are using the account for its
intended purpose, and securely.
EXAM TIP Shared and generic accounts/credentials should be used as
minimally as possible. When their use is absolutely required, shared accounts
must be documented, audited, and carefully controlled.
Managing Permissions and Rights with User Accounts
Permissions and rights are generally assigned on an individual basis to user accounts or
to logical groups that have been created for common functional and security needs. We’ll
look at both methods and discuss the need to review and monitor privileges periodically
to ensure that they’re being used appropriately.
The principle of least privilege, as you’ll recall from Module 3-2, guides policies about
account permissions and rights, meaning that administrators never give a user account
more rights and permissions—the least amount of privilege—than is needed for the user
to do his or her job. A great example of a least privilege policy is time-based logins to make
sure that users have access to their systems only during the times they should be at their
machines. There’s no reason for Penny in Accounting to have access to her system at
2 a.m. on a Sunday morning (unless Penny works strange hours)!
User-Assigned Access Control One of the reasons to create individual user accounts
is that it enables administrators to assign the accounts specific rights and permissions.
User accounts allow users to identify and authenticate themselves to the system, access
and interact with resources, and perform their daily jobs. Set up properly, these accounts
also enable administrators to trace the actions performed by the user account to the
physical user. When a user requires access to a system or resource, an administrator
assigns specific privileges to her user account. When that user requires access to yet
another resource, the administrator assigns her even more privileges. At some point, the
user may no longer require access to certain resources or privileges to perform actions on
the system. When that happens, the administrator can also reduce the user’s privileges
or revoke certain permissions.
03-ch03.indd 188
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
189
These types of actions occur daily with most user accounts in large organizations.
You’ll find, however, that many user accounts have common functional needs and
security requirements. Managing permissions on an individual user account basis can
be inefficient and difficult. Although certain user account permissions need to be
administered on an individual basis, the preferred way of managing permissions is by
assigning them to groups, discussed next.
Group-Based Access Control On a system, a group is a logical collection of user
accounts that have common functions, access, and/or security needs. The most efficient
way to assign user rights and permissions is to assign them to groups. This allows the
appropriate privileges to be assigned to the entire group of users only once, rather than
assigning privileges to individual user accounts each time new users require the same
privileges (Figure 3-37).
User accounts can be placed in and removed from groups easily. You can assign user
accounts to multiple groups to reflect different functional and security needs.
One disadvantage to group-based privileges is that a user account may be placed in
a group and eventually forgotten about. Later, if the organization does not want a user
to have certain privileges, an admin examining the individual user account wouldn’t
see the group privileges there. Another disadvantage is that group privileges are often
cumulative. For example, if a user is assigned to the administrators group, he usually has
elevated privileges. If he is assigned to a functional group as well, such as accounting or
marketing, he may use his administrative-level privileges to affect certain transactions
that are not authorized.
Group membership should be examined closely, as well as cumulative permissions and
the continuing need to have them. Reviewing privilege requirements and continuously
monitoring them is important.
NOTE Use groups to assign user rights and permissions to resources
whenever possible. This makes the process much more efficient and secure.
Figure 3-37
Groups assign
permissions to
users with common functions.
03-ch03.indd 189
All of us sales folks
are in the SALES group.
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
190
Account Policies
Organizations develop and implement account policies to ensure uniformly created
and maintained accounts. Network administrators apply technical policy settings
within the system to implement the written account policy for the organization. For
example, Windows has several account policy settings that you can use to enforce certain
restrictions on user accounts. The following sections explore different aspects of account
policy enforcement, including password policies, and circumstances that may require user
accounts to be locked out or disabled. Figure 3-38 shows some of the technical policy
settings in Windows used to manage accounts.
EXAM TIP Policies that determine what a user account can do in a system
are also referred to as access policies.
Password Length and Complexity
Every security professional harps on the need to have strong passwords. But what makes
up a strong password? In the early days of computers and the Internet, people used their
dog’s and children’s names, birthdays, and other common, easy-to-remember things as
Figure 3-38 Windows Server security policies
03-ch03.indd 190
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
191
Figure 3-39
Fido, good boy!
f…i…d…o
passwords. Passwords were usually very short, five or six letters at best, and normally
made up of letters of the alphabet (Figure 3-39).
As malicious hackers came on the scene, however, they quickly learned to guess and
defeat passwords using simple mathematics (since short passwords did not yield a lot of
different combinations to try) or by guessing the users’ passwords by learning different
characteristics about them and their personal lives (Figure 3-40).
Best practice avoids the use of simple user names and passwords for identification and
authentication, but most folks don’t practice . . . best. Although businesses and government
agencies use multifactor methods such as smart cards, PINs, and biometrics, the average
user (business users included) still relies on user name and password combinations in
many of their applications (Figure 3-41). So security professionals still have to account
for the possibility that passwords will be stolen and cracked by malicious entities. To
make it harder for hackers to steal and crack passwords, create password construction
rules that make password guessing and brute-forcing more difficult.
A password consists of several linear characters. Fewer characters means easy
crackability. If, for example, the password was constructed of only numbers, then a fourcharacter password would have only 10,000 possible combinations. This might seem
difficult for a human to guess, but a computer could crack this password in seconds. Even
if you added one more character, the password would have 100,000 possibilities—still
very easy for a computer to figure out.
Figure 3-40
Simple passwords crack
easily.
03-ch03.indd 191
Here, Fido!
Catch!
Really? Fido? I’ll
just jot that down
for trying later.
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
192
Figure 3-41
Too easy
pwd: ilo
vefido
Well, at least it’s
more than 4
characters!
Today, the general rule is that the longer the password the better, because the different
combinations of password possibilities makes it harder to crack. These days, most
organizations recommend, and sometimes require, a password length of at least 14 to
20 characters. A computer can break even a password this long in a matter of minutes,
however, if the password uses only numbers or letters. That’s where complexity comes in.
Password complexity takes into account the number of character sets that can be used
to construct a password. In a four-character password that uses only numbers, for each
possible character, there are only 10 possibilities (digits 0–9). Add another character
set, such as all lowercase letters of the alphabet, and the number of potential characters
increases to 36 possibilities per character (digits 0–9 and lowercase alphabetic letters a–z).
This increases the character space and the complexity of the password. A four-character
password increases from 10,000 possible combinations to 1,679,616. Again, this sounds
like an awful lot of combinations, and it would be very difficult for a human to crack
this password in a reasonable amount of time (Figure 3-42). Computers can attempt
thousands of combinations per second, however, so it wouldn’t take long to crack a fourcharacter password, even with this many combinations.
Adding additional character sets increases the number of password combinations.
Rather than using only numbers and lowercase letters, most organizations require the use
of uppercase letters and special characters. Ideally, users should construct long passwords
that use at least one of each of those four character sets, preferably at least two of each.
Password length fundamentally impacts security—the longer the better.
Figure 3-42
Better boy, Fido!
f…1…d…0
So much better than
“fido.”
03-ch03.indd 192
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
193
The more complex a password is, the less likely the user will be able to remember
it, and that means he’ll probably write it down; this is something to consider when
requiring complex passwords. Users must be trained on how to develop secure passwords
that they can remember without compromising them by writing them down. Many
users find that constructing a password from an easily remembered phrase is a viable
solution to this problem. I’m a military aviation fan, so one of my old passwords was
Mikelikesthef14tomcatsapg-71radar. (Yes, I’m a serious nerd.)
Watch out for keyboard walks, the process of making a password by just moving up
or down the keys on the keyboard. The password Mju7Nhy6Bgt% looks like a really
complex password, for example, but watch the keyboard while you type it. It’s a keyboard
walk and every password cracker knows it.
EXAM TIP Password complexity consists of increased length and
character sets. Both contribute to the character space (number of possible
combinations) and a password’s security.
Password Reuse and History
Essential account policies restrict password reuse and maintain a password history. It
does no good to require users to change their password periodically if they revert to the
same password they’ve used for years. A password reuse account policy restricts users from
reusing the same password frequently. For example, setting a password reuse policy to 10
would prevent users from using their last ten passwords, thus ensuring a fresh password.
TIP Good account policy restricts password reuse. Also, not on the exam,
but worth noting is that good policies can restrict password resemblance
as well as reuse. Edgar changes his password from An3wPWD4here1!
to An3wPWD4here2! when required by the network policy. Is the new
password a complex, long password? Yes, but it differs only one digit from
his previous password. That’s not good security!
The password history, which stores the user account’s passwords for a certain number
of password change cycles, helps enforce the password reuse policy. If the password history
policy is set to 10, for example, the system would store the user’s last ten passwords.
Beyond this setting, the user can, of course, reuse a password, but setting stringent
password aging requirements would prevent the user from reusing passwords for a period
of time. If, for example, passwords are required to be changed every 90 days and the
password history is set to 10, then the soonest a user could reuse a password would be
900 days. By that time, the user probably won’t even remember the old passwords, so
odds are an old password won’t be reused. Figure 3-43 shows a Windows Server password
policy management console that includes password history settings and complexity
requirements.
03-ch03.indd 193
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
194
Figure 3-43 Managing password policies in Windows Server
Account and Password Expiration
Accounts and passwords shouldn’t last forever; in fact, some accounts and passwords
should be set to expire. Accounts for temporary workers, for example, could be set to
expire after a predetermined period of time, such as 90 days. These accounts could be
reviewed shortly before the time period expires to see if they are still needed.
Passwords, on the other hand, should be set to expire for everyone in the organization,
to include administrators and even senior executives, because, over time, passwords
could become cracked by malicious hackers, lost, or otherwise compromised. Password
expiration shortens the amount of time that an attacker has to crack and use a password
(Figure 3-44). Depending on password length and complexity, it can take an inordinate
amount of time to crack. The idea is to make sure the passwords expire before they
are cracked.
When the password is set to expire, the system should notify users a certain number
of days (set by the system’s account or password policy) ahead of time so that they have
ample opportunity to change to a new password. If a user does not change her password
within the allowed amount of time, her account should lock, so that she cannot use
the account again until the password is changed. This forces the user to change her
password, and when she again creates a new password, the expiration time for that
password resets.
03-ch03.indd 194
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
195
Figure 3-44
Drats, foiled
again!
3…2…1…change
your passwords,
people!
Noooo!!! Just
one more day
and I would’ve
been in!
Disabling Accounts
Administrators disable accounts temporarily for various reasons. The organization may
not want to revoke, retire, or delete the account permanently, since the user may need
it at a later date. Perhaps a user has repeatedly input an incorrect password—the system
would automatically disable the account to prevent its compromise in case an attacker
is attempting to brute-force the account. Or an administrator may temporarily disable
an account when a user takes a vacation—or if he is under investigation for a crime involving the computer. The user may not be allowed to use the account during either of
these two circumstances, so an administrator would manually disable the account until
management determines that it can be re-enabled.
EXAM TIP The CompTIA Security+ objectives use the term disablement to
describe the process of disabling user accounts. It’s all part of account policy
enforcement, an essential aspect of IT security.
For whatever reason an account is disabled, it prevents its use for a set duration. An
administrator must re-enable the account and should include a documented reason as
to why she both disabled and re-enabled the account. It may be organizational policy
to disable an account for a predetermined amount of time after a user has left the
organization; in those cases, policies should also set a time after which the account will
be permanently deleted.
EXAM TIP Disable accounts temporarily whenever a user does not need
access to the system. Don’t permanently delete accounts until you determine
that a user will never need access to the system again.
03-ch03.indd 195
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
196
Account Lockout
Account lockout policies protect user accounts from being compromised. A typical
policy disables an account after a number of incorrect password attempts, for example.
The account can be locked for a predetermined period, such as an hour or two, or
until an administrator manually re-enables the account. This prevents brute-force
password attacks. Account lockouts also normally show up in audit logs and could alert
the administrator to a potential attack—or, at a minimum, a user who has issues with his
account or password. Most account lockout thresholds are set to a small number, usually
between three and ten, sufficient to prevent a brute-force attack but forgiving of a user
who may have simply forgotten or mistyped his password. Figure 3-45 illustrates the
default lockout policy settings in Windows.
EXAM TIP You should always set account lockout as part of your
organization’s account policies. Without account lockout, a malicious
user could use brute-force techniques to guess a password and access
an account.
Figure 3-45 Default lockout policy settings in Windows
03-ch03.indd 196
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
197
Figure 3-46
Maybe we should
just fire the guy?
I forgot my
password!
Kill me.
Account and Password Recovery
Proper account policies incorporate account and password recovery. Account recovery policies should cover both disabled and deleted accounts. Password recovery generally applies only to forgotten passwords. Those people and their shoddy memories
(Figure 3-46)!
Account recovery options vary a lot between disabled and deleted accounts. An
administrator can easily re-enable a disabled account whenever management or policy
dictates. A deleted account, whether by accident or by intent, offers challenging recovery
options. Simply re-creating an account isn’t the same thing as re-enabling it. Even if you
were to re-create the account with the same user name, the identifier that the system
uses for it will differ. The system uses identifiers to assign privileges and allow access to
different areas of the system. Re-creating an account means that you’ve created a new
account, so the user rights and privileges used on the original account would not apply
to the new account—you must reassign them from scratch.
NOTE In Windows, the account identifier is known as the security identifier,
or SID. In UNIX- and Linux-based systems, account identifiers are known as
user identifiers, or UIDs.
You can also recover an account by restoring part of the accounts database from a
backup. This isn’t always the preferred method, however, because it is difficult to restore
only discrete pieces of the database pertaining to the user account. Typically, the entire
database might have to be restored, which would also undo any other changes that were
made since the account was lost or deleted.
Password recovery typically occurs only if the password has been stored somewhere
offline, such as in a secure file or container. Often, organizations will record highly
sensitive passwords for system services or critical personnel and store them in secured
and encrypted files or in a secure container, such as a safe, for example. If passwords have
not been stored offline, recovery could be difficult if a system goes down. Some older
systems might store passwords in plaintext, which is highly undesirable, but it might
make passwords easier to recover. The best way to “restore” a password is to create a new
one, especially with a lost or potentially compromised password.
03-ch03.indd 197
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
198
Location-Based and Time-Based Policies
The prevalence of accessing e-mail on smartphones has led to security policies based
on the network location of devices. If an employee loses a company smartphone that’s
set up to receive and send e-mail messages, this presents a clear danger. Smartphones
know where they are, for the most part, because of interaction with cell towers.
Companies can implement policies that restrict features of smartphones, like e-mail,
when the user goes outside a given geographic area. Or the policies can be set up to
provide an automated notification about an unsafe location, such as when travelling
abroad.
In addition to location-based policies, administrators often add time-based login
policies as well, providing authentication that includes when a user should or could log
in. John logs in successfully each morning at the office at 8:00 a.m., Monday through
Friday. Policy determines that he should not log in at 6:00 a.m. during the week, for
example, nor at 8:00 a.m. on the weekend.
Anomaly Detection Policy
Implementing a system based on Microsoft Azure Active Directory, a cloudbased network solution, provides a typical scenario for account policies. Many of
the network assets are remote rather than local and thus add a dimension to the
account policies beyond a locally based network. Microsoft Cloud App Security
offers specific policy options that apply to their Azure AD system, such as anomaly
detection policies.
Fully automated, these policy options include such gems as impossible travel time,
risky login, and activity rate monitoring. After a user logs off from Azure AD at a specific
physical location and time, the system can detect if that user attempts to log in at another
physical location that is sufficiently distant to represent an impossible travel time from
the location of the previous logout. Erin can’t log off her work computer in Houston,
Texas, at 5:00 p.m., for example, and then log into her work computer remotely at
5:30 p.m. from Dallas, Texas. The system is smart enough to recognize VPN logins,
which reduces the number of false positives. A positive detection triggers a security alert
so that administrators can take appropriate action.
A risky login reflects a risky IP address, generally from an unknown or suspect
location. Erin logs off from her remote connection in Houston on Friday night. She
logs in on Monday from an IP address that’s in Brazil, and the system has no clue if she’s
on a business trip or somebody hacked her account. Security alerts are triggered and
administrators can take appropriate action.
Microsoft Cloud App Security policies dictate the degree to which unusual activity gets
flagged. This activity can include all sorts of things, from unusually high downloads to
excessive file sharing or file deletion. The system will trigger an alert, and administrators
can take appropriate action.
The cool part about policy systems like Microsoft Cloud App Security is that
administrators can fine-tune them to work accurately for their network needs. All of the
policies can and should be tweaked over time.
03-ch03.indd 198
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-3: Account Management
199
Account Administration
The typical network administrator has common repetitive tasks that affect company
security. Policies determine how to handle most of these tasks. Let’s look at onboarding/
offboarding, user audits and reviews, and continuous monitoring.
Onboarding/Offboarding
Policies on onboarding and offboarding of personnel apply explicitly to the status of the
user account. We touched on these back in Module 1-7, but they’re worth putting into
context here. During the onboarding process, a new employee should have a new account
created, using some form of standard naming convention to enable ease of use by everyone.
NOTE Failure to use a standard naming convention is the bane of small
businesses that start to grow. Even tiny companies should always pick a
standard naming convention for all user names and stick to it.
Offboarding is even trickier. When an employee separates, administrators do not
typically delete the user account. Instead, they reset the user account with a new password
used only by the administrator and the account is disabled for a set amount of time. This
makes data recovery easy.
Account Audits and Review
Network administrators should periodically audit access to systems and resources for several reasons. First, compliance with any organizational access control policy may require
periodic review. Second, users often are transferred within an organization, they may be
hired or terminated, or they may be promoted or demoted. In all of those cases, users
likely don’t require the same access to systems and data. Unfortunately, if access is not
reviewed on a periodic basis, users may move around within the organization and retain
privileges even when they no longer need them. This is a problem commonly called
privilege creep, and it violates the principle of least privilege.
The best way to perform these account audits is by looking at two very specific areas:
account permissions auditing and review and usage auditing and review. What permissions
does the user account have across all shared resources? What resources is he actually using
(usage audit)? Is he using all he has? Does he have too many permissions due to privilege
creep? Here is where the administrator makes changes to rights and permissions to stick
with least privilege. This audit process is an essential part of account maintenance, the
collective procedures to make sure users have access to what they need over time, with
changing projects and responsibilities, and nothing else.
Some highly sensitive systems or data require periodic access reviews called
recertification to ensure that unauthorized users have not been inadvertently given
inappropriate permissions to sensitive data. Access reviews involve reviewing audit logs,
object permissions, access control lists, and policies that specifically direct who should
have access to systems and data and under what circumstances. That’s another reason it’s
a good idea to document exactly who has access to sensitive systems and data and when
that access will expire; it makes access reviews a great deal easier.
03-ch03.indd 199
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
200
Continuous Monitoring
Continuous monitoring is a form of auditing that involves examining audit trails, such as
logs and other documentation, to ensure accountability for actions any user performs.
With continuous monitoring, administrators can continuously check to ensure that
systems and data are being accessed properly and by authorized personnel. Monitoring
may involve automated means or manual review of logs or documentation. In any event,
administrators look for signs of improper access by unauthorized persons or unauthorized
actions authorized people may take, such as unauthorized use of account privileges; use
of accounts by unauthorized users; unauthorized creation, deletion, or modification of
data; and so on.
Continuous monitoring enables administrators to be sure that users are performing
only the authorized actions they are allowed to perform on the network. This supports
the security concepts of authorization and non-repudiation, as well as accountability.
Figure 3-47 shows the different options available for auditing in Windows, a necessary
part of reviewing user access and continuous privilege monitoring.
EXAM TIP The organization should review the need for higher-level
privileges on a frequent basis and continually monitor the use of those
privileges. This ensures accountability and prevents security incidents
from occurring.
Figure 3-47 Audit Policy settings in Windows
03-ch03.indd 200
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-4: Point-to-Point Authentication
201
Module 3-4: Point-to-Point Authentication
This module covers the following CompTIA Security+ objective:
• 3.8 Given a scenario, implement authentication and authorization solutions
Now that this chapter has covered most of the critical concepts of access management,
it’s time to move from the theoretical into the practical. This module looks at the
protocols and methods that enable a client to access a server securely.
The best place to start this is at the beginning of the Internet; a time when cable
modems, cellular WANs, and fiber to the premises weren’t considered; a time when
computers sat in your house, unconnected to any network. If you wanted to connect
to the Internet, you had to make a remote connection from your computer to a remote
server of an ISP that in turn connected to the Internet.
Back in the early 1990s, just about everyone had a physical telephone line. Using an
analog modem and a telephone number, we could dial in to a system that was connected
to the Internet, and then we were connected as well (Figure 3-48).
The protocol that made all this work was the Point-to-Point Protocol (PPP). In essence,
PPP turned a modem into a network interface card (NIC). The PPP client dialed up the
remote PPP server and made a virtual Ethernet connection, just as if your computer at
home was connected to the switch at the remote server’s location. From here the PPP
server would send out Dynamic Host Configuration Protocol (DHCP) requests just like
a modern system does.
NOTE Point-to-point in this context means taking a single computer and
making a single, one-to-one connection to a remote network. Don’t confuse
these remote connections with modern technologies such as virtual private
networking. A VPN requires a system already on the Internet to make a
private connection. A point-to-point connection means your client is not on
any network.
The problem with PPP was that it was remote. A PPP server had a phone number that
anyone could call and PPP servers weren’t cheap, so PPP came with several authentication
protocols. Three of these protocols—PAP, CHAP, and MS-CHAP—dominated and
continue to dominate point-to-point authentication.
Figure 3-48
Ancient connection options
03-ch03.indd 201
With this
modem I can
get 48 K bits
PER SECOND!
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
202
PAP
The Password Authentication Protocol (PAP) is the oldest authentication protocol used to
pass user names and passwords to a central authentication server. PAP was usually seen
with older dial-up remote connection methods and actually predates PPP. Unfortunately,
PAP does not pass user names and passwords securely during authentication by default;
this information is generally sent over the network in clear text, making it easily intercepted by someone using a network sniffer.
EXAM TIP The ancient and non-secure PAP has been deprecated. You
should always use an authentication protocol that hashes or encrypts user
credentials that travel across a network connection.
CHAP/MS-CHAP
The Challenge-Handshake Authentication Protocol (CHAP) is an Internet standard method (described in RFC 1994) of authenticating users or a host to a centralized authentication server. CHAP is an older protocol that replaced sending user name and password
information over clear text, as non-secure implementations of PAP did. CHAP was primarily used over PPP connections, and it was the first of several different versions of
challenge-response authentication protocols. In CHAP, the authentication server sends
a challenge message to the user or host. The user inputs his password, and the system
hashes the combination of the password and challenge together, using a one-way hash
function. The host then sends this hashed response back to the authentication server.
The authentication server, which knows the user’s password, repeats the hashing process
with the password and challenge and produces its own hash value. If the hash values
match, then the authentication server knows that the user input the correct password
and the user can be authenticated. If the hash values do not match, authentication fails.
Figure 3-49 illustrates how this process works.
CHAP periodically reauthenticates clients during a session; this process uses a threeway handshake. CHAP can prevent replay attacks and also enables the user to authenticate
without directly sending his password over non-secure network connections. Microsoft
developed its own version of the CHAP protocol, MS-CHAP, and later MS-CHAP v2,
1. Client requests authentication.
2. Server sends a challenge to the client.
3. Client responds to challenge by hashing response
with user’s password.
4. Server compares response to its own computed hash
and authenticates if they match.
Figure 3-49 The CHAP authentication process
03-ch03.indd 202
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-4: Point-to-Point Authentication
203
which was used in earlier versions of Microsoft Windows. It is been all but deprecated
on all recent versions of Windows in favor of more secure authentication mechanisms
such as Kerberos.
EXAM TIP CHAP relies on challenge and response messages and hashed
passwords, as do other modern protocols. This ensures that passwords or
other user credentials are never sent over the network in clear text.
Remote Access Connection and Authentication Services
This section explores various remote authentication services and protocols that enable
external authorized users and hosts to authenticate into an internal network. These
methods are normally used for older dial-up and Integrated Services Digital Network
(ISDN) connections, but we’ll also look at the two primary tunneling protocols that can
provide remote access services for VPN connections—the subject of later modules, so we
won’t go much in depth here.
Authentication, authorization, and accounting (AAA) apply to functions performed
by authentication services, such as remote authentication services. In this context,
authentication and authorization mean the same thing, although there might be
intermediary devices that provide certain related services rather than having a host
authenticate directly with a centralized authentication server or database.
The accounting function, when used in the context of remote access, describes the
process of accounting for connection time and billing functions, another throwback to
the older days of dial-up, when users paid for their connection to an ISP by the minute
or hour. These days, users typically connect via a broadband method that is “always
on,” such as DSL or cable modem. Although users are still charged for their service, it’s
typically on a flat-rate basis and not by the minute or hour. Still, the accounting function
of remote access takes care of this aspect of the connection, including time of connection,
the traffic that was used over the connection, and which hosts connected at which times
to make use of the connection.
RADIUS
The Remote Authentication Dial-In User Service (RADIUS) protocol was originally
developed to provide for remote connections through older dial-in services. RADIUS
provides AAA services to clients and providers. It is a standardized Internet specification
and falls under several different RFCs, including RFC 2865, RFC 2866, and others.
A basic client/server protocol, RADIUS uses User Datagram Protocol (UDP) as its
transport protocol on ports 1812 (for authentication and authorization) and 1813 (for
accounting functions).
RADIUS has a few interesting terms you need to know. A RADIUS client is not
the host attempting to connect; it is the network access server itself, to which remote
hosts connect. This server is an intermediary that processes the connection request
and passes it on to other servers, called RADIUS servers, which provide authentication
services and can be either Windows or UNIX-based servers. Active Directory, in fact,
03-ch03.indd 203
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
204
can provide for authentication services to RADIUS clients, acting as a RADIUS server,
through the Microsoft remote access and VPN services. In terms of security, though,
RADIUS is a bit lacking. Although the communications between the RADIUS client
and the RADIUS server are encrypted, communications between the RADIUS client
and the remote host are not. Unfortunately, user name and password information could
be intercepted between the remote host and the RADIUS client. RADIUS can support
a variety of authentication methods, including some of the older ones, including PPP,
PAP, and CHAP.
EXAM TIP A RADIUS client is the network server that receives the connection
request from the remote host and communicates with the RADIUS server. It
is not the remote host itself.
Diameter
Diameter is an AAA protocol proposed to replace RADIUS. Its name is actually a pun
and doesn’t really stand for anything. It makes sport of the fact that the diameter of a
circle is twice the radius. Diameter supports a wider variety of authentication protocols,
including the Extensible Authentication Protocol (EAP). It uses TCP port 3868 instead
of the UDP that RADIUS uses. It also can handle more advanced security using IPsec
and Transport Layer Security (TLS).
NOTE Module 7-1, “Networking with 802.11,” covers wireless authentication
protocols such as EAP and 802.1X in detail.
TACACS, XTACACS, and TACACS+
The Terminal Access Controller Access Control System (TACACS) supplanted RADIUS
and allows a remote user to connect and authenticate to a network via an intermediary
TACACS server. It works pretty much the same way as RADIUS, with a few exceptions.
XTACACS, which stands for Extended TACACS, provides additional functionality for
the TACACS protocol. It also separates the authentication, authorization, and accounting functions out into separate processes, even allowing them to be handled by separate
servers and technologies. TACACS+ is a Cisco-designed version of the older TACACS
protocol that enables newer, more secure authentication protocols to be used over it,
such as Kerberos and EAP. It also permits two-factor authentication. It has become an
open standard. Unlike the issues that plague RADIUS with encryption between the remote host and the RADIUS client, TACACS+ encrypts all traffic between all connection
points, to include user names and passwords. Unfortunately, TACACS+ is not backwardcompatible with the earlier versions of the protocol. TACACS uses TCP or UDP port
49 by default.
03-ch03.indd 204
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-5: Network Authentication
205
Module 3-5: Network Authentication
This module covers the following CompTIA Security+ objectives:
• 2.4 Summarize authentication and authorization design concepts
• 3.1 Given a scenario, implement secure protocols
• 3.8 Given a scenario, implement authentication and authorization solutions
The point-to-point authentication methods described in the previous module are
powerful tools for solutions to situations where a single client needs to authenticate to
a single server acting as a gatekeeper to a larger network. Yet what do we do when we
have many systems already connected on a single LAN? Unlike point-to-point, a client
computer wanting to authenticate connects to many computers at all times (Figure 3-50).
Authentication on a LAN has serious issues that methods such as MS-CHAP or
RADIUS simply do not or cannot address. Let’s look at issues a LAN brings to access
management and then look at the authentication methods and protocols used in most
LANs to provide network authentication.
The Challenge of LAN Access Management
LANs change the concept of access management in a number of ways. First, LANs are
much more permanent compared to most point-to-point connections. The desktop computer in your office, connected by a Gigabit Ethernet connection to your main switch, is
probably going to spend a few years connected to your LAN. This means that the system
needs some form of initial authentication to identify that computer to the network.
Plus, you also need some method to authenticate any user who sits down in front of that
computer to access network resources. Second, LANs are very fast compared to most
Which one of you handles
authentication?
Figure 3-50 Network authentication is a different animal.
03-ch03.indd 205
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
206
Figure 3-51
Network access
control must be
flexible.
I want to authenticate!
Go ahead!
Go ahead!
Go ahead!
point-to-point connections. If you are going to authenticate, you need fast protocols that
allow systems to authenticate quickly. Third, most anything done on LANs is broadcast
to every other computer on the broadcast domain, requiring authentication methods
that allow for many systems to authenticate and authorize each other (Figure 3-51).
The permanency of LANs is motivation for a feature you don’t see in point-to-point
connections. With a LAN, the systems tend to be relatively fixed and permanent, but
users tend to move around. This means that a good LAN access solution has the flexibility
to enable any user to sit at any computer and authenticate themselves to the network as
a whole.
The last and possibly biggest issue is the concept that any single system may offer
shared resources to properly authenticated and authorized users on any system. This
creates an issue in that every system on the network has its own authentication database,
almost always user accounts/passwords. Unless something else is done, a user must
authenticate to every system on the LAN individually (Figure 3-52).
Every computer on a LAN has an operating system that comes with networking tools
for naming systems, sharing resources, and authenticating users. And every modern
operating system can easily share files among each other. For sharing, for example,
Windows, macOS, and Linux/UNIX use the server message block (SMB) protocol (also
known generically as Windows file sharing), so all three operating system families can
easily share (Figure 3-53).
If you want access to my
shared resources you
must authenticate to ME!
If you want access to my
shared resources you
must authenticate to ME!
If you want access to my
shared resources you
must authenticate to ME!
Figure 3-52 In a LAN each system is an island.
03-ch03.indd 206
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-5: Network Authentication
207
I’m a Windows system. I
use SMB for file
sharing.
I’m a Mac. I also
use SMB for
file sharing.
I’m a Linux system. I
too use SMB for
file sharing.
Figure 3-53 Everybody speaks Windows file sharing!
Each operating system also has tools for authentication, particularly for logging into
Windows machines. Because Windows dominates the marketplace, Windows authentication methods loom large. The next section explores Windows authentication methods
in detail.
Microsoft Networking
Microsoft networking has been around for a very long time and has gone through an
incredible number of changes and iterations, but we can make a few straightforward
breakdowns. First, all Windows systems are organized in one of two ways: workgroups or
domains. In a workgroup, every Windows system stores local user names and passwords
and controls access to its own resources. In a domain, all computers authenticate to a
single authentication server known as a domain controller (Figure 3-54). A modern Windows domain stores far more than just user names and passwords. This more advanced,
very powerful domain type is known commonly as Active Directory (AD).
We each handle our authentications.
Workgroup
I handle all authentication.
Domain
Figure 3-54 Workgroup vs. domain
03-ch03.indd 207
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
208
Figure 3-55 Windows Server domains
Every Windows computer on earth is a member of either a workgroup or a domain.
Using workgroups is the default network organization and is very common in homes
and small offices. In a workgroup, a user must have an account on every system from
which they wish to access shared resources. A common way to get around this issue is
to make the same account with the same password on every system. Domains require
a system running special, powerful, and expensive Windows Server operating systems
(Figure 3-55). Every computer on the network then goes through a special process of
joining the domain. Once a computer joins the domain, it authenticates to the domain
controller. A user can log onto any system in the domain and log onto the domain—the
perfect example of single sign-on in action.
NOTE Windows’ domain single sign-on function is so popular that other
operating systems will use Samba to enable individual systems to log onto a
Windows domain controller even if they have no interest in sharing folders.
Workgroups and domains are very important in that Windows uses very different
authentication methods depending on whether there is a workgroup or a domain. In a
workgroup, Windows uses the very old, slightly vulnerable but easy to implement and
backward-compatible NT LAN Manager (NTLM). Windows domain controllers use
the powerful and robust Kerberos authentication protocol.
NTLM
Microsoft developed a series of proprietary authentication protocols early on during
Windows development, and for the most part, they have been deprecated and are no
longer included in new versions of the Windows operating system. You should be aware
of them for the exam, however, and you may actually run into some of these from time to
time in your professional career. The LAN Manager (LANMAN) protocol was developed
and included in Microsoft Windows NT. Like any first attempt, it had weaknesses. For
example, its hash-stored passwords are easily broken if they are obtained by an attacker.
LANMAN was disabled by default starting in Windows Vista and shouldn’t be used
unless you’re running legacy clients that require it.
03-ch03.indd 208
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-5: Network Authentication
209
New Technology LAN Manager (NTLM) was created by Microsoft to replace LANMAN
and is backward-compatible with the older protocol. It’s also a very non-secure protocol,
and it was quickly replaced by NTLM version 2. Both versions are challenge-response
authentication protocols and work similarly to CHAP. Version 2 is used in modern
iterations of Windows, but only for workgroup authentication. Kerberos is the default
authentication protocol for Windows domains (see the next section), but there are still
times when NTLM v2 is used, even in domains. These instances include authenticating
to a server using only an IP address, authenticating to a different AD network that has
a legacy trust enabled, or authenticating a host to a non-AD domain. In these instances,
Windows will default to using NTLM v2.
EXAM TIP Understand the situations in which Windows will default to using
NTLM v2 instead of Kerberos for its authentication protocol. Usually this
occurs where there is no AD environment and the host is communicating in
a workgroup setup.
Kerberos
The Kerberos network authentication protocol is used in modern Active Directory implementations. It began as a project of the Massachusetts Institute of Technology (MIT) and
has been implemented as a centralized, single sign-on authentication mechanism. It is
an open standard, supported officially as an Internet standard by RFC 4120. As of this
writing, the most current version of Kerberos widely in use is version 5.
Kerberos uses a system based on authentication tickets and time stamps that are issued
to the authenticated user. Time stamps help prevent replay attacks because the tickets
expire after a short time and must be refreshed, requiring that the user be reauthenticated
and the ticket reissued. Kerberos’s time stamps rely heavily on authoritative time sources
throughout the network architecture, so many implementations also provide for a
network time server.
Time synchronization is critical in Kerberos. A classic usage case is the “I can’t log
into my domain” problem. If clients are outside a certain tolerance for time difference
with the Kerberos server, the users logging into those clients will not be authenticated.
The default tolerance for time differences is 5 minutes in an Active Directory network,
although this can be changed. Windows systems lean heavily on time synchronization
and constantly keep their time synchronized with their domain controller.
Kerberos uses several components, which you should be familiar with for the exam.
First is the Kerberos Key Distribution Center (KDC), which is responsible for authenticating
users and issuing session keys and tickets. In Active Directory implementations, the
domain controller serves as the KDC. There is also an Authentication Service (AS) and
a Ticket-Granting Service (TGS). Although they are not required to be on the same
host, these services frequently are, for simplicity and efficiency’s sake, on AD domain
controllers in a Windows environment and are part of the KDC implementation.
When a user logs into the system, the AS verifies her identity using the credentials
stored in AD. The user is then issued a Ticket-Granting Ticket (TGT) by the AS, which
can be used to access resources throughout the domain. The TGT expires after a certain
03-ch03.indd 209
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
210
2. AS authenticates and issues
the user a Ticket-Granting Ticket (TGT).
1. Client requests authentication.
3. Client needs to access resource and presents TGT to TGS.
4. TGS issues service ticket for the session.
Client/User
5. Server and client communicate using
the service ticket issued by the TGS.
Resource Server
Figure 3-56 Kerberos process in Windows environments
amount of time, so it must be periodically reissued. When a user wants to access a
resource in the domain, the TGT is presented to the TGS for authentication and the
TGS generates a session key for the communications session between the user and the
resource server. This is known as a service ticket and is used for the duration of the access
to the resource. When a user later needs access to the same or a different resource, the
older ticket is not reused and a new service ticket is generated.
Note that the process we’ve described is specific to Windows AD implementations of
Kerberos, but the principles are the same regardless of what operating system and LDAPbased implementation are in use. A network that uses Kerberos as its authentication
protocol is called a Kerberos realm. Kerberos uses both TCP and UDP ports 88, and
it uses symmetric key cryptography. Figure 3-56 illustrates the Kerberos process in
Windows AD.
LDAP and Secure LDAP
The power of modern Active Directory networks requires a language that allows different domain controllers to query each other’s ADs. This is where LDAP comes into
play. The Lightweight Directory Access Protocol (LDAP) isn’t an authentication protocol;
it’s used to assist in allowing already authenticated users to browse and locate objects
in a distributed network database (like a Windows AD spread out among two or more
domain controllers). It’s also used to facilitate authentication and authorization for
these objects. LDAP is a modern replacement for older X.500 directory services protocols
03-ch03.indd 210
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-6: Identity Management Systems
211
(used for authentication). Although the most popular iteration of LDAP (its current version is version 3) can be found in AD, other platforms use LDAP as well, including the
popular OpenLDAP. LDAP uses both TCP and UDP ports 389. There is a secure version of LDAP that uses TCP port 636. It’s primarily Lightweight Directory Access Protocol
over SSL (LDAPS), and it has been deprecated with LDAP version 2.
NOTE Keep in mind that LDAP is not an authentication protocol, but it does
facilitate authentication and resource access.
Module 3-6: Identity Management Systems
This module covers the following CompTIA Security+ objectives:
• 3.7 Given a scenario, implement identity and account management controls
• 3.8 Given a scenario, implement authentication and authorization solutions
Single sign-on (SSO) for network authentication has been around for a long time. We’ve
already covered single sign-on in a LAN with Microsoft Windows domains as probably
the best single example. As powerful as single sign-on is for LANs, it traditionally has
never been used on the Internet. Anyone who has spent any amount of time bouncing
from one secure Web site to another appreciates the hassle of remembering user names
and passwords for every site.
With the proliferation of Internet services comes password fatigue, the user-based
syndrome of “I have to set up yet another user account and password to remember for
[insert name of new, must-have Web site] service too? Not again!” (Figure 3-57).
NOTE In fairness, Windows’ domain single sign-on can span multiple LANs,
but it’s not commonly used to secure public Web sites.
Figure 3-57
Many passwords
to memorize
03-ch03.indd 211
Secure Site A
User name
Password
Secure Site B
Username
Password
Secure Site C
User name
Password
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
212
The idea of one user name and password to rule them all has merits, certainly, but
also opens a huge discussion about how to keep that identity secure. Plus, it requires
understanding how to establish trusts such that a user can sign on to one site and in
some way then transfer that authentication to other sites in a secure fashion. This
module explores identity management systems (IMSs), tools used to simplify secure access
to multiple Internet-based services via single sign-on. We’ll start with the physical, with
security tokens, then look at shared authentication schemes. The module finishes with
single sign-on options.
Trust
One of the great powers of a Windows domain SSO is the fact that there is always a
domain controller (and maybe a few secondary domain controllers) that stores a single
repository of users and their associated passwords. When you log onto a Windows
domain, you log onto a domain controller. Once your user account authenticates, the
different servers provide authorization to their resources via your Windows security
identifier. Every computer on the domain trusts the domain controller.
Web sites have no domain controller to handle authentication. To make some form
of IMS work for the most distributed of all networks, the Internet, requires trust. Every
IMS begins by giving any Web site that wants to use it some way to trust someone big
like Google, Facebook, or Twitter. The Web site treats the sign-in you use with a trusted
big platform as an option or a replacement for your signing in at the Web site itself. The
individual sites, however, still handle their own authorization (Figure 3-58).
In general, an IMS provides a connection to log into one of these big platforms and,
in turn, provides a token that the little sites use. Module 3-2 touched on the concepts of
tokens, physical objects that enable access to restricted areas or content. A security token
in an online IMS can be a physical thing, like a smartphone, that contains authentication
or password information. It might also be a bit of data that stores some form of descriptor
for the authentication used. You see this sort of token manifest in game systems, for
example, where you change something online and a message is sent to your smartphone.
The change will go through only by entering the security code sent to the phone. The
stored security information in security tokens is often hashed to prevent access in the
event of theft or loss of the device.
Figure 3-58
This site has a lot
of trust.
03-ch03.indd 212
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Module 3-6: Identity Management Systems
213
EXAM TIP The CompTIA Security+ exam objectives refer to security tokens
as simply tokens.
Shared Authentication Schemes
Shared authentication schemes use various protocols, languages, and mechanisms to provide easier access to online resources for people. The two most prominent schemes are
SAML and OpenID.
The Security Assertion Markup Language (SAML) provides a format for a client and
server to exchange authentication and authorization data securely. SAML defines three
roles for making this happen: principal, identity provider, and service provider. The client
or user is often the principal. The principal wants something from the service provider
(SP), the latter often a Web service of some kind. The identity provider (IdP) contains
information that can assure the SP that the principal is legitimately who he says he
is. Systems using SAML can use any number of methods for authentication, including
passwords and user names.
Many companies—big ones, like Amazon, Google, and Microsoft—use OpenID as
an alternative to SAML, enabling users to log into other services using their respective
credentials. Figure 3-59 shows a typical use of OpenID. The user accesses a new (to him)
Web-based service and can log in using his Google account.
Figure 3-59
Sign in with
Google!
03-ch03.indd 213
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
214
OpenID handles the authentication part of the identification process, but relies
on OAuth for authorization. OAuth enables things like users granting information to
Web sites without revealing their passwords.
Many SSO standards rely on SAML for secure communication between principals
and SPs. The SSO standards differ from the previous standards in that the latter require
additional use of the same user credentials. SSO standards do not.
The Shibboleth SSO system, for example, uses SAML (versions 1.3 and 2.0) to
authenticate to various federations of organizations. As discussed in Module 3-1,
federations enable content providers to provide content without retaining any personal
information about clients or principals. This applies to Web-based systems as well as
LAN- and domain-based systems.
Questions
1. Which of the following terms describes the process of allowing access to
different resources?
A. Authorization
B. Authentication
C. Accountability
D. Identification
2. Which of the following states that users should be given only the level of access
needed to perform their duties?
A. Separation of duties
B. Accountability
C. Principle of least privilege
D. Authorization
3. Which of the following access control models allows object creators and owners
to assign permissions to users?
A. Rule-based access control
B. Discretionary access control
C. Mandatory access control
D. Role-based access control
4. An administrator wants to restrict access to a particular database based upon a
stringent set of requirements. The organization is using a discretionary access
control model. The database cannot be written to during a specified period when
03-ch03.indd 214
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Questions
215
transactions are being reconciled. What type of restriction might the administrator
impose on access to the database?
A. Access restricted by the database owner
B. Access based upon membership in a logical group
C. Access from a particular workstation
D. Time-of-day and object permission restrictions
5. Which of the following allows a user to use one set of credentials throughout
an enterprise?
A. TACACS
B. RADIUS
C. Single sign-on
D. TACACS+
6. Which of the following is used to prevent the reuse of passwords?
A. Account disablement
B. Account lockout
C. Password complexity
D. Password history
7. Which of the following are the best ways to ensure that user accounts are being
used appropriately and securely? (Choose two.)
A. Periodically review assigned privileges.
B. Allow users to maintain their privileges indefinitely, even during promotion
or transfer.
C. Continuously monitor accounts, through auditing, to ensure accountability
and security.
D. Ensure that users’ permissions stay cumulative, regardless of which group or
job role they occupy.
8. Which of the following authentication factors would require that you input a
piece of information from memory in addition to using a smart card?
A. Possession
B. Knowledge
C. Inherence
D. Temporal
9. You are implementing an authentication system for a new company. This is
a small company, and the owner has requested that all users be able to create
03-ch03.indd 215
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 3
Chapter 3: Identity and Account Management
216
accounts on their own individual workstations. You would like to explain to
the owner that centralized authentication might be better to use. Which of the
following are advantages of centralized authentication? (Choose two.)
A. Centralized security policies and account requirements.
B. Ability of individuals to set their own security requirements.
C. Ability to use single sign-on capabilities within the entire organization.
D. Requirements have different user names and passwords for each workstation
and resource.
10. Under which of the following circumstances would a Windows host use Kerberos
instead of NTLM v2 to authenticate users?
A. Authenticating to a server using only an IP address
B. Authenticating to a modern Windows Active Directory domain
C. Authenticating to a different Active Directory forest with legacy trusts enabled
D. Authenticating to a server in a Windows workgroup
Answers
1. A. Authorization describes the process of allowing access to different resources.
2. C. The principle of least privilege states that users should be given only the level
of access needed to perform their duties.
3. B. The discretionary access control model allows object creators and owners to
assign permissions to users.
4. D. The administrator would want to impose both a time-of-day and object
permission restriction on users to prevent them from writing to the database during
a specified time period.
5. C. Single sign-on allows a user to use one set of credentials throughout an enterprise
to access various resources without having to reauthenticate with a different set
of credentials.
6. D. The password history setting in the account policy is used to prevent the reuse
of older passwords.
7. A, C. Periodic reviews and continuous monitoring are two ways to ensure that
accounts and privileges are used in accordance with organizational policy and in
a secure manner.
8. B. The knowledge factor would require that you input a piece of information,
such as a password or PIN, from memory in addition to using a smart card.
9. A, C. Centralized system security policies as well as the ability to use single sign-on
throughout the organization are two advantages of centralized authentication.
10. B. When authenticating to a modern Windows Active Directory domain,
Windows uses Kerberos as its authentication protocol by default.
03-ch03.indd 216
25/03/21 2:13 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
CHAPTER
Tools of the Trade
4
I have a thing for tools.
—Tim Allen
IT security professionals use a lot of tools to keep networks secure. These tools range
from go-to utilities that run from the command-line interface of just about every operating system to more complex tools for scanning network activity. Security professionals
spend a phenomenal amount of time setting up and monitoring logs of system activities
so that when that bad actor steps in or some odd action occurs, they’re ready to save
the day.
This chapter explores essential IT security tools in four modules:
•
•
•
•
Operating System Utilities
Network Scanners
Protocol Analyzers
Monitoring Networks
Module 4-1: Operating System Utilities
This module covers the following CompTIA Security+ objectives:
• 3.7 Given a scenario, implement identity and account management controls
• 4.1 Given a scenario, use the appropriate tool to assess organizational security
Windows, macOS, and every Linux distro come with a host of tools for security
professionals. The tools enable you to query network settings, explore routing options,
diagnose connection problems, and much more. Built-in tools give you flexibility and
availability—you need to know them.
This module covers many of the utilities included in Windows and UNIX/Linux
systems. These utilities are listed in the CompTIA Security+ objectives and, more
importantly, every good tech should recognize all of these as well as know where and
when to use them (Figure 4-1).
217
04-ch04.indd 217
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
218
Figure 4-1
We love utilities!
I love my built-in
utilities!
The CompTIA Security+ objectives break these tools into three groups (no doubt
to keep the organization a bit easier): network reconnaissance and discovery, file
manipulation, and shell and script environments.
Network Reconnaissance and Discovery
Sometimes you need to find out details about your system’s network settings and how
that system communicates with both your local network and extended network. Both
Windows and Linux come with plenty of tools, many of them the same or nearly the
same, to do exactly that job. Let’s explore a dozen or so tools:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
ping
ipconfig
ifconfig
ip
arp
netstat
route
netcat
tracert/traceroute
pathping
TCPView
PingPlotter
nslookup
dig
ping
The ping utility enables you to query another system on a TCP/IP network to determine connectivity. ping uses Internet Control Message Protocol (ICMP) packets at OSI
Layer 3, Network, for queries. It’s not a perfect tool, because many systems disable ICMP
traffic to avoid attacks, but ping is quick and effective enough that you’ll find it very useful.
04-ch04.indd 218
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
219
Figure 4-2 ping in Windows
When one system successfully pings another host, you automatically know that the
other system is connected and is properly IP addressed. Figure 4-2 shows a successful
ping running in a Windows terminal. We know it’s successful because it shows replies
from the pinged system (192.168.0.1).
By default, ping runs four times in Windows and stops automatically. In Linux, ping
runs continuously until you press ctrl-c. To get ping to run continuously in Windows,
use the –t switch.
The ping utility has uses beyond simply verifying connectivity. Running ping using
a DNS name, for example, is a great way to verify you have a good DNS server. Look
at Figure 4-3. Note that the ping is unsuccessful (shows Destination port unreachable),
but the ping successfully resolves the DNS name (www.cheese.com) to an IP address
(195.149.84.153).
The ping utility offers many more features that IT security professionals use all the
time. Here’s a list of some of the more useful switches:
•
•
•
•
•
04-ch04.indd 219
–a
–t
–f
–4
–6
Resolve addresses to hostnames
Run continuously
Set Don’t Fragment flag in packet (IPv4 only)
Force using IPv4
Force using IPv6
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
220
Figure 4-3 ping resolving an IP address
NOTE Administrators disable ICMP—and thus, ping requests—for a variety
of reasons, but most notably because people can use ping maliciously. The
ping of death sends malformed packets to a computer, possibly causing a
crash. Continuous ping requests—as a denial-of-service attack—can also
crash systems. You’ll see more about attacks such as these in Chapter 5.
ipconfig
Use the ipconfig command in Windows to show the current status of the network settings for a host system. Figure 4-4 shows sample output from ipconfig in Windows 10.
You can see the various IPv6 addresses plus the IPv4 address and subnet mask. Typing
ipconfig by itself also shows the default gateways.
Using switches enhances the ipconfig output; the following six switches are particularly useful. Typing ipconfig /all, for example, lists virtually every IP and Ethernet setting on the system.
•
•
•
•
•
04-ch04.indd 220
/all Get exhaustive listing of virtually every IP and Ethernet setting
/release Release the DHCP IP address lease
/renew Renew the DHCP IP address lease
/flushdns Clear the host’s DNS cache
/displaydns Display the host’s DNS cache
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
221
Figure 4-4 Results from running ipconfig
ifconfig
Use the ifconfig command in UNIX/Linux and macOS operating systems to show the
current status of the network settings for a host system. Figure 4-5 shows ifconfig running
in Ubuntu Linux. This shows a lot of configuration settings for the Ethernet connection (enp0s3), including the MAC address (HWaddr), IPv4 address (inet addr), broadcast
Figure 4-5 ifconfig in Ubuntu
04-ch04.indd 221
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
222
IP address, and subnet mask. You can see the IPv6 address (inet6 addr) and many more
details. The lo connection is the loopback, which is the expected 127.0.0.1.
Unlike ipconfig, ifconfig goes beyond basic reporting, enabling you to configure a
system. The following example sets the IP address and the subnet mask for the Ethernet
NIC eth0:
sudo ifconfig eth0 192.168.0.1 netmask 255.255.255.0
NOTE Linux systems also have the iwconfig command exclusively for
wireless connections.
ip
If you’re looking to do anything serious in terms of IP and Ethernet information on a
Linux (not macOS) system, the cool kid is the ip command. The ip command replaces
ifconfig, doing many of the same tasks, such as viewing IP information on a system,
checking the status of network connections, managing routing, and starting or stopping
an Ethernet interface.
The syntax differs from ipconfig and ifconfig, dropping a lot of the extra nonalphanumeric characters and shortening switch names. To see all the Ethernet and
IP information for a system, for example, just type ip addr to get results like Figure 4-6.
You can see the loopback address (lo) for both IPv4 (127.0.0.1/8) and IPv6 (::1/128)
and the IPv4 and IPv6 addresses assigned to the Ethernet port (eth0). Typing ip addr
does not show the MAC address. For that you’d type ip link.
Figure 4-6
Running the
command ip
addr in Kali Linux
04-ch04.indd 222
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
223
arp
Every host on a network keeps a cache of mapped IPv4-to-Ethernet addresses for the local
network. The arp command enables you to observe and administer this cache. Interestingly, both the Windows version and the Linux version use almost the same switches.
If you want to see the current cache, type the command as follows (Windows version):
C:\>arp -a
Interface: 192.168.1.75
Internet Address
192.168.1.1
192.168.1.58
192.168.1.128
192.168.1.255
224.0.0.2
224.0.0.22
224.0.0.251
--- 0x2
Physical Address
14-dd-a9-9b-03-90
88-de-a9-57-8c-f7
30-cd-a7-b6-ff-d0
ff-ff-ff-ff-ff-ff
01-00-5e-00-00-02
01-00-5e-00-00-16
01-00-5e-00-00-fb
Type
dynamic
dynamic
dynamic
static
static
static
static
(Several output lines have been removed for brevity.)
The dynamic entries in the Type column show listings under control of DHCP.
Static types are fixed (the multicast addresses that start with 224 never change) or are for
statically assigned IP addresses.
NOTE The arp command is only for IPv4 addresses. IPv6 uses the Neighbor
Discovery protocol.
The arp command enables detection of ARP spoofing, when a separate system uses
the arp command to broadcast another host’s IP address. Look carefully at this arp
command’s output and note that two systems have the same IP address:
C:\>arp -a
Interface: 192.168.1.75
Internet Address
192.168.1.1
192.168.1.58
192.168.1.58
--- 0x2
Physical Address
14-dd-a9-9b-03-90
88-de-a9-57-8c-f7
23-1d-77-43-2c-9b
Type
dynamic
dynamic
dynamic
Given that most operating systems return an error when this happens, you might think
using arp isn’t helpful. But arp at least provides the MAC address for the spoofing system,
which might help you determine the offending system. (A lot of modern switches employ
Dynamic ARP Inspection [DAI] to deal with ARP spoofing automatically, though that’s
beyond the discussion here.)
NOTE The arp command (lowercase) displays information on aspects of
the system that use the Address Resolution Protocol (ARP). The mapped
cache of IP-to-Ethernet addresses, for example, is the ARP cache. arp and
other command-line utilities listed here are lowercase to reflect the casesensitivity of UNIX/Linux systems.
04-ch04.indd 223
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
224
netstat
The netstat command is the go-to tool in Windows and Linux to get any information
you might need on the host system’s TCP and UDP connections, status of all open and
listening ports, and a few other items such as the host’s routing table.
Typing netstat by itself shows all active connections between a host and other hosts:
C:\Users\Mike>netstat
Active Connections
Proto Local Address
TCP
127.0.0.1:5432
TCP
127.0.0.1:5432
TCP
127.0.0.1:5432
Foreign Address
MiKESLAPTOP:50165
MiKESLAPTOP:50168
MiKESLAPTOP:50175
State
ESTABLISHED
ESTABLISHED
ESTABLISHED
You can see that the first few lines of any netstat show a number of active connections
with the loopback address (the 127.x.x.x). These are used by Microsoft for several
different information exchanges such as the Cortana voice recognition utility. Other
connections show up as more varied IP addresses:
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
192.168.1.75:57552
192.168.1.75:58620
192.168.1.75:60435
192.168.1.75:60444
192.168.1.75:60457
192.168.1.75:60461
192.168.1.75:60466
192.168.1.75:60537
167.125.3.3:https
msnbot-25-52-108-191:https
61.55.223.14:33033
92.190.216.63:12350
42.122.162.208:https
62.52.108.74:https
a14-112-155-235:https
65.55.223.12:40027
CLOSE_WAIT
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
ESTABLISHED
CLOSE_WAIT
CLOSE_WAIT
The preceding netstat output shows the open connections on this system, mainly HTTPS
connections for Web pages. In the State column on the right, ESTABLISHED identifies
active connections and CLOSE_WAIT indicates connections that are closing.
Typing netstat in Linux gives the same information, but in a slightly different
format. At the very bottom are the associated UNIX sockets. A socket is an endpoint for
connections. This data is very long and not very useful. Figure 4-7 shows just the first
few lines.
Typing netstat –a in Windows or Linux shows the same information as netstat
alone, but adds listening ports. This is a very powerful tool for finding hidden servers or
malware on a host. Look carefully at the following command. Notice that HTTP port
80 and HTTPS port 443 are listening. This instantly tells you that the host is an HTTP/
HTTPS server. You must then answer the question: “Should this system be running a
Web server?”
C:\Users\Mike>netstat -a
Active Connections
Proto Local Address
TCP
0.0.0.0:135
TCP
0.0.0.0:445
TCP
0.0.0.0:3780
TCP
127.0.0.1:9990
TCP
127.0.0.1:17600
TCP
192.168.1.75:80
TCP
192.168.1.75:443
TCP
192.168.1.75:6698
TCP
192.168.1.75:13958
Foreign Address
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
MiKESLAPTOP:0
State
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
LISTENING
(Lines removed for brevity.)
04-ch04.indd 224
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
225
Figure 4-7 netstat in Linux
Running netstat with the –b option displays the executable file making the connection.
Here’s netstat running in Windows PowerShell (introduced later in this module) using
both the –b and –a options (with many lines removed for brevity):
PS C:\WINDOWS\system32> netstat
Active Connections
Proto Local Address
TCP
0.0.0.0:135
[svchost.exe]
TCP
0.0.0.0:80
[svchost.exe]
TCP
0.0.0.0:17500
[Dropbox.exe]
TCP
0.0.0.0:47984
[NvStreamNetworkService.exe]
TCP
192.168.1.75:6698
[SkypeHost.exe]
TCP
192.168.1.75:58620
[Explorer.EXE]
TCP
192.168.1.75:62789
[OneDrive.exe]
-a -b
Foreign Address
MiKESLAPTOP:0
State
LISTENING
MiKESLAPTOP:0
LISTENING
MiKESLAPTOP:0
LISTENING
MiKESLAPTOP:0
LISTENING
MiKESLAPTOP:0
LISTENING
msnbot-65-52-108-191:https
ESTABLISHED
msnbot-65-52-108-205:https
ESTABLISHED
Researching open ports and processes in netstat is nerve wracking. What are these
programs? Why are they listening? A quick Web search of the filename often gives you
excellent guidance as to which programs are good, which are evil, and which you simply
don’t need.
NOTE The netstat command works perfectly well with IPv6.
04-ch04.indd 225
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
226
netstat is an incredibly powerful tool, and this short description barely touched its
capabilities. For the CompTIA Security+ exam, you should experiment with netstat both
in Linux and in Windows.
route
The route command enables you to display and edit a host’s routing table. Inspecting a
routing table enables you to find problems if packets leave your system but never get a
response. In Linux you type route to see the routing table; in Windows you type route
print. Here’s an example of this in Linux:
mike@mike-VirtualBox:~$ route
Kernel IP routing table
Destination
Gateway
default
_gateway
10.0.2.0
0.0.0.0
link-local
0.0.0.0
Genmask
0.0.0.0
255.255.255.0
255.255.0.0
Flags
UG
U
U
Metric
100
100
1000
Ref
0
0
0
Use
0
0
0
Iface
enp0s3
enp0s3
enp0s3
The operating system automatically generates routing tables on individual hosts based
on the network settings. So using route to display the routing table seems logical.
On the other hand, you can use route to make changes to the routing table for a
variety of reasons. You could set up a static route for security purposes, for example, or
remove a route to a specific host to force a secondary gateway.
NOTE The route command rarely comes with Linux distros. Use the apt or
rpm command to install the net-tools package, which includes plenty more
than route as well.
netcat
netcat (or nc) is a terminal program for Linux that enables you to make any type of connection and see the results from a command line. With nc, you can connect to anything
on any port number or you can make your system listen on a port number. Figure 4-8
shows nc connecting to a Web page.
The nc command is a primitive tool. To get any good information from the connection,
the user must know the protocol well enough to type in properly formed input data.
Since this is a Web page, type get index.html HTTP/1.1, as this is what the Web server
is expecting. Figure 4-9 shows the result.
The challenge and the power of nc come from the fact that it’s a tool for people who
know how to type in the right commands, making it great for penetration testing or, if
you’re evil, hacking. Imagine making a connection to a server and typing in anything you
want to try to fool the server into doing something it’s not supposed to do!
Figure 4-8 Connecting to www.google.com with nc
04-ch04.indd 226
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
227
Figure 4-9 Successful connection to www.google.com with nc
The nc command even works as a handy scanning command. Find a server, guess
on a port number, and try connecting! The nc command works perfectly with scripts.
It’s relatively easy to write a script that tries 1024 port numbers one after the other,
automating the scanning process.
NOTE Windows lacks an equivalent to netcat, but Ncat from https://nmap
.org/ncat/ has very similar functionality.
tracert/traceroute
If you want to know how packets are routed from a host to an endpoint, try the Windows
tracert command. Linux can use the almost identical command called traceroute (although
it’s not installed by default on many distros, including Ubuntu).
Either command sends packets to each connection between the host and the endpoint,
checking the time to live (TTL) between those connections. Running tracert returns
something like this:
C:\>tracert www.robotmonkeybutler.com
Tracing route to www.robotmonkeybutler.com [64.98.145.30]
over a maximum of 30 hops:
1
5 ms
9 ms
2
5 ms
18 ms
3
15 ms
14 ms
[68.85.253.229]
4
14 ms
10 ms
[68.85.247.29]
5 ms
10 ms
19 ms
192.168.4.1
10.120.17.101
ae201-sur04.airport.tx.houston.comcast.net
17 ms
ae-0-sur03.airport.tx.houston.comcast.net
(Hops 5 through 12 removed for brevity.)
13
71 ms
66
[130.94.195.234]
14
63 ms
60
15
65 ms
68
16
59 ms
58
ms
179 ms
ms
ms
ms
69 ms
70 ms
67 ms
xe-0-10-0-3-5.r05.asbnva02.us.ce.gin.ntt.net
iar02-p3.ash.tucows.net [64.98.2.10]
csr-p6.ash.tucows.net [64.98.128.14]
url.hover.com [64.98.145.30]
Trace complete.
04-ch04.indd 227
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
228
The power of tracert comes by running it before there are any problems. If you look
at the previous example, you see the first two hops use a private IP address. This is
correct, because this network has two routers between the host and the ISP—in this case,
Comcast. Let’s say we run this command again and get this result:
C:\>tracert www.robotmonkeybutler.com
Tracing route to www.robotmonkeybutler.com [64.98.145.30]
over a maximum of 30 hops:
1
5 ms
9 ms
5 ms 192.168.4.1
2
5 ms
18 ms
10 ms 10.120.17.101
3
[10.120.17.101] reports: Destination host unreachable
The tracert successfully made it through both internal routers, but couldn’t make it to
the ISP. In this case we know there’s something wrong between the gateway and the ISP.
It could be that the ISP simply blocks ICMP packets (the protocol used with tracert in
Windows). You can test this by running traceroute in Linux or macOS, which use UDP
rather than ICMP by default.
pathping
pathping, a Windows-only utility, is an interesting combination of tracert and ping.
pathping first runs a traceroute, but then pings each hop 100 times. All this pinging
determines latency much more accurately than tracert does. Pathping is slower than
tracert. The following example of pathping forces no DNS resolution and requires only
IPv4 addresses.
C:\System32\pathping -n -4 www.ibm.com
Tracing route to user-att-108-66-144-0.e2874.dscx.akamaiedge.net [104.94.70.94]
over a maximum of 30 hops:
0 172.18.13.117
1 172.18.13.1
2 104.186.12.1
3
*
*
*
Computing statistics for 50 seconds...
Source to Here
This Node/Link
Hop RTT
Lost/Sent = Pct Lost/Sent = Pct Address
0
172.18.13.117
0/ 100 = 0%
|
1
0ms
0/ 100 = 0%
0/ 100 = 0% 172.18.13.1
0/ 100 = 0%
|
2
1ms
0/ 100 = 0%
0/ 100 = 0% 104.186.12.1
Trace complete.
NOTE In Linux, try either the mtr command or tracepath command
rather than the old and often not-even-installed traceroute. Neither tool is
mentioned in the CompTIA Security+ SY0-601 objectives, but we think you’ll
find them useful.
TCPView and PingPlotter
Need something a little more graphical in your life? There are many interesting graphical tools that enable you to access these commands graphically. Graphical tools often
04-ch04.indd 228
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
229
Figure 4-10 PingPlotter in action
provide easier-to-grasp information that the command-line tools lack. Finding netstat a
little frustrating? Try TCPView from Windows Sysinternals instead of netstat. Or maybe
replace boring old ping/traceroute with PingPlotter from Pingman Tools (Figure 4-10).
There are a ton of great tools out there. Take your time, do some research, and find the
ones you enjoy.
NOTE tracert is often a great way to determine the ISP just by looking at the
router names.
DNS Tools
DNS security issues can create huge problems for IT security professionals. Techniques
such as spoofing or replacing a host’s DNS server settings give an attacker tremendous
insight as to whom the host is communicating with. While there are multiple tools and
techniques used to diagnose DNS issues, two built-in OS utilities can be very useful:
nslookup and dig.
nslookup The nslookup tool, built into both Windows and Linux, has one function:
if you give nslookup a DNS server name or a DNS server’s IP address, nslookup will
query that DNS server and (assuming the DNS server is configured to respond) return
incredibly detailed information about any DNS domain. For example, you can run
nslookup to ask a DNS server for all the NS (name server) records for any domain.
This power of nslookup has been used for evil purposes. For that reason, almost no
public DNS server supports nslookup anymore for anything but the simplest queries.
But there are still good reasons to use nslookup.
04-ch04.indd 229
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
230
NOTE
nslookup works similarly in both Linux and Windows.
The most basic way to run nslookup is to type the command followed by a domain.
For example:
C:\WINDOWS\system32>nslookup www.totalsem.com
Server: cdns01.comcast.net
Address: 2001:558:feed::1
Non-authoritative answer:
Name:
www.totalsem.com
Address: 75.126.29.106
The first server is an assigned DNS server for a host. The non-authoritative answer is
the returned IP address for www.totalsem.com. The URL www.totalsem.com is a public
Web server. The totalsem.com domain has a private file server, however, named server1
.totalsem.com. If that URL is queried by nslookup the following happens:
C:\WINDOWS\system32>nslookup server1.totalsem.com
Server: cdns01.comcast.net
Address: 2001:558:feed::1
*** cdns01.comcast.net can't find server1.totalsem.com: Non-existent domain
This is good. The authoritative DNS server is configured to protect this private server
and therefore not respond to an nslookup query.
nslookup can tell you if an IP address is a functioning DNS server. Run nslookup
interactively by typing nslookup to get a prompt:
C:\WINDOWS\system32>nslookup
Default Server: cdns01.comcast.net
Address: 2001:558:feed::1
>
Then type in the IP address of the DNS server you want to check:
> server 8.8.8.8
Default Server: google-public-dns-a.google.com
Address: 8.8.8.8
>
Note that it returns a DNS name. This means there is a reverse DNS zone; a very good
sign, but still not proof. Let’s make it resolve a known-good DNS name:
> www.totalsem.com
Server: google-public-dns-a.google.com
Address: 8.8.8.8
Non-authoritative answer:
Name:
www.totalsem.com
Address: 75.126.29.106
>
04-ch04.indd 230
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
231
But look at this alternate response:
DNS request timed out.
timeout was 2 seconds.
*** Request to [4.7.3.4] timed-out
>
This could mean that the server IP address is not a functional DNS server. Or, at the
very least, that the DNS service on this particular server isn’t working.
dig The dig command is a Linux-based DNS querying tool that offers many advantages
over nslookup. dig works with the host’s DNS settings, as opposed to nslookup, which
ignores the host’s DNS settings and makes queries based on the variables entered at
the command line. dig also works well with scripting tools. The dig tool is unique to
Linux, although you can find third-party Windows dig-like tools. dig is simple to use
and provides excellent information with an easy-to-use interface. Figure 4-11 shows a
basic dig query.
Try other dig options. For example, if you want to know all the mail server (MX)
servers for a domain, just add the MX switch, as shown in Figure 4-12.
NOTE The Linux host command isn’t listed on the CompTIA Security+
objectives, but is a great tool and one of our favorites. Know nslookup and
dig for the exam, but check out the host command too!
File Manipulation
Commands generate readable output. If you want to preserve output from a command
for future reference, you can save the command output as a text file. In Linux, pretty
Figure 4-11 Simple dig query
04-ch04.indd 231
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
232
Figure 4-12 Querying for MX records (output reduced for brevity)
much all log files (we’re diving into log files later in Module 4-4) are text files that you
can review, search, and edit. Several Linux utilities provide this capability: cat, chmod,
grep, head, tail, and logger.
NOTE The CompTIA Security+ objectives don’t mention several important
commands that you should know as an IT security professional, such as
sudo, ls, cd, cp, mv, and delete. Because of their practical importance as
IT security tools, you should review them.
cat
The cat command enables you to combine—concatenate—files. Concatenate two files to
the screen with the following command:
cat file1.txt file2.txt
To concatenate these same two files and create a new file, use the following command:
cat file1.txt file2.txt > file3.txt
The cat utility also enables you to view the contents of any text file. Just type cat
followed by the text file you wish to see and it appears on the screen:
mike@mike-VirtualBox:~/Desktop$ cat onelinefile.txt
This is the one line in this file
The cat utility provides a quick, powerful, and versatile tool for working with text files
from the command line. You can view log files, for example, and combine multiple logs.
To search the log files, you can combine cat with grep (which is discussed shortly). cat is
a go-to tool for Linux users.
04-ch04.indd 232
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
233
NOTE cat is a fine tool, but explore another tool for current systems (that’s
not on the exam) called less.
chmod
All files on a Linux system, including all log files and text files, have file permissions,
or modes. File permissions are read (r), write (w), and execute (x). Type ls -l to see these
permissions:
mike@mike-VirtualBox:~/Desktop$ ls -l
-rw-rw-r-- 1 mike mike 18626 Jul 11 16:09
-rw-rw-r-- 1 mike mike 18635 Jul 11 16:14
-rw-rw-r-- 1 mike mike
9 Jul 11 15:50
-rwxrwxrwx 1 mike mike
31 Jul 11 16:42
drwxrwxr-x 2 mike mike 4096 Jul 11 16:43
file2.txt
file3.txt
file.txt
program.bin
timmy
on
s
mis
si
s
per
ne
ryo
Eve
up
p
erm
issi
on
sio
n
Gro
mis
per
Ow
ner
Figure 4-13
Linux permissions
s
Examining this output from left to right, the first character determines the type of
entry: a hyphen denotes a regular file and a d denotes a directory. You can see the file or
directory name on the far right of each line. The first four lines show the permissions
for regular files, and the last line shows the permissions for the directory named timmy.
Permissions are listed in three sets of three permissions each, all in a row. The first
set shows the permissions for the owner/creator; the second set defines the group
permissions; the third set describes permissions for everyone else, or other (Figure 4-13).
If a set includes r, w, and x, it means all three of those permissions are assigned. A hyphen
in place of a letter means that specific permission is not assigned. For example, the file2
.txt file in the previous ls -l output has read and write permissions assigned for the owner
and group, but only read permission for other. No one has execute permission (probably
because it really is just a text file!). The directory timmy, in contrast, shows read, write,
and execute permissions for both the owner and the group, plus read and execute (but
not write) for other.
The chmod command enables you to change permissions—or change modes—for a
file or directory. A common way to edit these permissions is to give each set of three
permissions a single numeric value between 0 and 7, representing the combined values
of read (4), write (2), and execute (1). For example, if owner is assigned 0, owner has no
rwxrwxrwx
04-ch04.indd 233
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
234
permissions for the file or directory; if assigned 7, owner has all three permissions. Using
three numbers with chmod can set permissions for any file. Here are some examples:
• chmod 777 <filename> sets permissions to rwxrwxrwx
• chmod 664 <filename> sets permissions to rw-rw-r-• chmod 440 <filename> sets permissions to r--r-----Suppose you have a file called mikeconfig.pcap with the following permissions:
-rw-r----- 1 mike mike 18626 Sep 22 8:09 mikeconfig.pcap
If you wanted to give read and write permissions to everyone, you’d type this command:
chmod 666 mikeconfig.pcap
grep
Text files sometimes get large, making it challenging to find a specific bit of data in them
you need. The grep command looks for search terms (strings) inside text files and returns
any line of that text file containing the string you requested. To illustrate, here is a text
file called database.txt that contains four lines of personal data:
mike@mike-VirtualBox:~$ cat database.txt
mike meyers 1313 mockingbird lane Houston TX
scott jernigan 555 garden oaks Houston TX
dave rush 1234 anytown Spring TX
nasa wissa 5343 space center blvd Clear Lake TX
Watch the following grep commands and see the result.
• Find the word “mike” in database.txt:
mike@mike-VirtualBox:~$ grep mike database.txt
mike meyers 1313 mockingbird lane Houston TX
• Find the phrase “dave rush” in database.txt and identify the line on which it is
found:
mike@mike-VirtualBox:~$ grep -n "dave rush" database.txt
3:dave rush 1234 anytown Spring TX
The grep utility isn’t limited to files. You can take any output to the terminal and
then “pipe” the output through grep to filter out anything you don’t want. The handy
ps aux command shows all the running processes on a Linux system, but the output
can be massive. Let’s say you want to see all the Firefox processes on your system. The
command ps aux | grep firefox tells the system to send (to pipe) the output to the grep
command, not to the screen. The output runs through the grep command and then goes
to the screen.
mike@mike-VirtualBox:~$ ps aux | grep firefox
mike
2970 16.5 13.4 3234952 273148 ?
04-ch04.indd 234
Sl
15:13
0:06 /usr/lib/
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-1: Operating System Utilities
235
firefox/firefox -new-window
mike
3019 23.9 14.7 2719736 299288 ?
Sl
15:13
0:08 /usr/
lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 1
-prefMapSize 219196 -parentBuildID 20200630195452 -appdir /usr/lib/firefox/
browser 2970 true tab
The grep utility is a wonderful tool to filter output to and from files or the screen.
This quick introduction is just that—an introduction and enough to get you through
the exam—but anyone who works with Linux should on their own dig deeper into grep.
head/tail
Sometimes you want to see only the beginning of a text file to get a clue about what data
is stored in that file. Alternatively, there are times where you just want to see the end of
a text file, maybe to see if records were added. That’s where head and tail are used. head
displays the first ten lines of a text file. tail shows the last ten lines.
logger
The logger command enables you to add text to log files manually. You would do this
when you want to add comments. We’ll get to log files in Module 4-4.
Shell and Script Environments
Security experts understand operating system shells, the command-line interfaces (such as
Command, Bash, Terminal, etc.) that enable you to do a ton of things quickly and with
authority. And the CompTIA Security+ objectives aggressively assume that knowledge.
EXAM TIP CompTIA inadvertently listed OpenSSL rather than OpenSSH
in objective 4.1. Expect to see OpenSSH (discussed later in this section)
on the exam.
A huge part of working at the command prompt is using scripting languages. Scripting
languages enable automation of complex tasks and, with the right shells, take advantage
of powerful operating system features (like updating registry settings in Windows)
that would otherwise require writing actual compiled code. The funny part is that the
CompTIA Security+ objectives only mention one shell—Windows’ PowerShell—and
only one scripting language, Python. OK, PowerShell also includes its own scripting
language, but CompTIA Security+ seems to skip popular shells such as GNU Bash
(a Linux shell) and scripting languages like JavaScript.
PowerShell
For decades, Microsoft leaned heavily and exclusively on the Command shell. Compared
to UNIX/Linux, Command was (and still is) extremely primitive and Microsoft knew
this. After a few (better forgotten) attempts, Microsoft introduced PowerShell back in
2006. Since then PowerShell has gone through multiple improvements, making it arguably the best combination of shell and scripting language, certainly for the Windows
platform. Figure 4-14 shows the default PowerShell interface.
04-ch04.indd 235
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
236
Figure 4-14 Windows PowerShell interface
PowerShell’s built-in scripting language has a unique feature that makes it vastly more
powerful than any other language when it comes to working with the Windows operating
system, a direct connection to the internals of Windows. Want to see a list of local users
on a system? Try this PowerShell cmdlet (pronounced “command let”):
Get-LocalUser | Select *
Need to see a setting for a key in the Windows registry? That’s easy for PowerShell:
Get-ItemProperty -Path HKCU:\Software\ScriptingGuys\Scripts -Name version).
version
Feel free to integrate PowerShell cmdlets into the powerful scripting language to do,
well, anything you can imagine. Create GUIs, access databases . . . PowerShell can do it all.
NOTE
PowerShell scripts normally end with a .ps1 file extension.
Don’t feel like using PowerShell scripting in your PowerShell terminal? No worries.
The PowerShell terminal supports other languages such as JavaScript and Python.
PowerShell is a fabulous shell as well as scripting language, and if you’re working on or
developing on a Windows platform, you need to know how to use it.
04-ch04.indd 236
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-2: Network Scanners
237
Python
Most security folks consider Python to be the “go to” scripting language for anything
that’s cross platform, because Python works perfectly and equally on Windows, macOS,
and UNIX/Linux systems. Python has been around for a very long time, is totally free, is
well known and well supported, and has easy-to-find tutorials and support.
NOTE PowerShell is also cross platform (but good luck finding anyone who
runs PowerShell for a living outside of Windows systems).
SSH
Sometimes you just can’t physically be in front of a machine to open a terminal and
do whatever you need to do. That’s where the Secure Shell (SSH) protocol comes
into play. Applications using the SSH protocol can manifest a terminal to a remote
machine, assuming you have a user name and password on that remote machine
(and that remote machine is running an SSH-compatible server). SSH runs on TCP
port 22, and almost every operating system comes with a built-in SSH client, if not
an SSH server as well.
SSH servers and clients must first create an encrypted connection. The SSH protocol
has several ways to do this, but one of the more common methods is for the SSH server
to generate SSH keys: a traditional RSA asymmetric key pair. The server then treats one
key as public and the other as private. When an SSH client attempts to access an SSH
server for the first time, the server sends the public key (Figure 4-15).
Most SSH implementations today rely on the OpenSSH suite of secure networking
utilities. First released in 1999 and in continuous development since then, OpenSSH
offers best-in-class secure connectivity between systems.
NOTE OpenSSH is hosted at https://www.openssh.com/. Check it out—
maybe you can use OpenSSH to develop the next great SSH server!
Module 4-2: Network Scanners
This module covers the following CompTIA Security+ objective:
• 4.1 Given a scenario, use the appropriate tool to assess organizational security
What is on your network? This is
IT security professional must answer.
you need to go through the process of
software and hardware tools, known
complete this process.
04-ch04.indd 237
one of the most important questions a good
When you want to see what’s on a network,
network reconnaissance and discovery. Several
collectively as network scanners, help you to
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
238
Figure 4-15 SSH client receiving a server key
Network scanners use protocols on a network, almost always a LAN, to determine as
much information about the LAN as possible. In essence, a scanner is an inventory tool.
There’s no single standard or type of network scanner. Different network scanners use a
variety of protocols, standards, and methods to query the hosts on the LAN. Given that
virtually every network in existence uses the TCP/IP protocol stack, it might be more
accurate to use the term IP scanner when describing these tools.
EXAM TIP IP scanners are any class of network scanner that concentrates on
IP addresses for network discovery.
04-ch04.indd 238
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-2: Network Scanners
239
Scanning Methods
Every scanner scans differently, but they try to find certain common data. Here’s a short
list of some of the more important items every network scanner will inventory:
•
•
•
•
•
•
Topology
MAC addresses
IP addresses
Open ports
Protocol information on open ports
Operating systems
A good network scanner compiles this information and presents it in a way that
enables security people to understand what’s going on in the network. A network scanner
enables network mapping on many levels.
The one area that IP scanners do not usually cover are protocols underneath TCP/IP.
For example, a TCP/IP scanner isn’t commonly going to verify the Ethernet speed/type.
Some network scanners do inventory lower protocol information, but they tend to be
more specialized. With that in mind, let’s dive into network IP scanners. In general, we
turn to this information for two reasons: baselining and monitoring.
Scanning Targets
Think of a baseline as a verification of the network assets. Security professionals run
baselines to make sure of exactly what is on the network. This a great time to build
an “official” inventory that defines and details every computer, server, printer, router,
switch, and WAP in the network infrastructure.
Once you know what’s on a network, you can then occasionally reapply a network scan
to verify that there are no surprises on the network. Compare recent scans to the baseline
and look for differences. Any sort of baseline deviation—things that have changed—can
help secure the network. In such a scenario, monitoring enables rogue system detection,
such as finding rogue WAPs, unauthorized servers, and other such security breaches.
Network scanners are everywhere. If you go into Network and Sharing Center in
Windows (assuming your firewall settings aren’t too restrictive), you’ll see a perfectly
functional, although very simple, network scanner (Figure 4-16).
Scanner Types
Network scanners tend to fit into one of two categories: simple or powerful. Simple
scanners make quick, basic scans. They require little or no actual skill and only provide
essential information. Powerful network scanners use many protocols to drill deeply into
a network and return an outrageous amount of information.
04-ch04.indd 239
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
240
Figure 4-16 Windows network information
NOTE You won’t see anything on the CompTIA Security+ exam that
divides network scanner types into simple versus powerful. We make that
distinction purely for ease of teaching the subject.
Simple Network Scanners
Simple scanners are easy to use and invariably have pretty graphical user interfaces
(GUIs) to improve usability. The free and surprisingly powerful Angry IP Scanner from
Anton Keks (https://angryip.org) does a good job using simple protocols, mainly ping, to
query a single IPv4 address or an address range. If you just want to count the systems in
a simple LAN and you have confidence that your internal network isn’t blocking ICMP
messages, Angry IP Scanner is a great tool (Figure 4-17). Angry IP Scanner is good for a
single network ID and it does some basic port scanning, but that’s about it.
NOTE Angry IP Scanner and, in fact, most scanning tools will set off your
anti-malware tools. In most cases you’ll need to shut off the anti-malware; or
better yet, go through whatever process is needed to make these scanners
exempt from the anti-malware software.
Simple scanners aren’t limited to Windows. macOS users have similar tools. One of
the more common and popular is IP Scanner by 10base-t Interactive (https://10base-t
.com). Like Angry IP Scanner, this tool uses only the simplest protocols to query a local
network. Compare Figure 4-18 to Figure 4-17 and see how they share a somewhat similar
interface.
04-ch04.indd 240
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-2: Network Scanners
241
Figure 4-17 Angry IP Scanner
Figure 4-18 IP Scanner
04-ch04.indd 241
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
242
Figure 4-19
Fing scanner on
Android
There are also several excellent simple network scanners for smart devices running
Android and iOS operating systems. Given that these devices all have dedicated 802.11
connections, almost all of these simple IP network scanners tend to give excellent wireless
information. One of our favorite scanners is Fing (https://www.fing.com). Note the
screenshot of Fing in Figure 4-19.
Nmap: A Powerful Network Scanner
Simple scanners are wonderful tools if you’re looking for quick scans that grab IP addresses,
open ports, and maybe a Windows network name, but little else. But what if you’re looking for more? What if you have multiple address ranges? What if you have a routed
network and you want to install multiple sensors that all report back to a single system?
In that case you’ll need to turn to a powerful network scanner.
Among the many contenders in the network scanner market, the one that every
security professional should know, and the one explicitly listed in the CompTIA
04-ch04.indd 242
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-2: Network Scanners
243
Figure 4-20 Nmap used in The Matrix
Security+ exam objectives, is Nmap (from https://nmap.org). Originally written back
in the mid-1990s by Gordon Lyon, Nmap established itself as the gold standard for
TCP/IP network scanners early on and has retained its prominence through ongoing
updates from the Nmap community. Nmap is so popular that it shows up in popular
media, such as the movies The Matrix (Figure 4-20) and Judge Dredd.
NOTE Nmap runs on most operating systems, but it runs best on Linux/
UNIX systems.
Having said all these nice things about Nmap, be warned: Nmap is a command-line
tool with a powerful and incredibly complex number of switches and options. Nmap
is complicated to master; there are many thick books and long online Web page Nmap
tutorials that do a great job showing you the power of Nmap. (Also, GUI overlays that
run on top of Nmap are available, such as Zenmap, discussed shortly.) It is impossible to
give you any more than the lightest of touches on Nmap in this module. Fortunately, the
CompTIA Security+ exam will not test you intensely on this tool, but it will expect you
to have a good understanding of its capabilities and some of the basic syntax, and that we
can do here. Do yourself a favor, download Nmap and try it.
Nmap Basics In its simplest form, Nmap is run from a command line. I can run a very
simple Nmap command, as shown in Figure 4-21, against my home router. Nmap scans
the 1000 most common port numbers by default. In this case it located four open ports:
53 (my router is a DNS forwarder), 80 (the router’s Web interface), and 515 and 9100
(I have a printer plugged into the network).
Nmap can just as easily scan an entire network ID. For example, this Nmap command
will run the same command except generate a very long output to the terminal:
nmap 192.168.1.*
04-ch04.indd 243
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
244
Figure 4-21 Basic Nmap command
By adding a few extra switches, –A to tell Nmap to query for OS version and –v to
increase the “verbosity” (in essence telling Nmap to grab more information), you can
get a lot more information. Nmap also works perfectly fine for any public-facing server.
Figure 4-22 shows part of the Nmap scan against Nmap.org’s purpose-built public server
scanme.nmap.org.
Figure 4-22 Part of a more aggressive Nmap scan
04-ch04.indd 244
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-2: Network Scanners
245
Note that not only does Nmap detect open ports, it pulls detailed information about
each port, including the RSA key for the SSH server, the HTTP server version, and the
title to the index page as well as NetBIOS ports.
CAUTION Before you grab a copy of Nmap and start blasting away at
random public-facing servers, a word of caution. Don’t! Multiple laws protect
businesses and individuals from unauthorized scanning. You could end up
in a world of legal hurt if you don’t have permissions to scan. Getting those
permissions as an authorized (white hat) hacker or penetration tester—
someone who tests networks to help identify potential security holes—is a
great idea. Be careful out there!
Zenmap Nmap outputs can be massive, so in many cases security professionals don’t
use this interactive mode of terminal screen output; instead, they direct output to XML
files other tools can analyze, including graphical tools. Nmap provides a wonderful GUI
called Zenmap that enables you to enter Nmap commands and then provides some
handy analysis tools. Figure 4-23 shows the topology screen from Zenmap, showing a
complete network.
Figure 4-23 Zenmap
04-ch04.indd 245
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
246
As previously mentioned, this is just the lightest of tastes of the powerful Nmap
scanner. Nmap is a critical part of many Linux security packages, including the powerful
Metasploit framework.
Module 4-3: Protocol Analyzers
This module covers the following CompTIA Security+ objectives:
• 4.1 Given a scenario, use the appropriate tool to assess organizational security
• 4.3 Given an incident, utilize appropriate data sources to support an
investigation
Protocol analyzers collect and inventory the network traffic on a network. The
CompTIA Security+ exam uses the term protocol analyzer, but that’s a fairly broad term.
The IT industry defines protocol analyzers as any type of hardware or software that
analyzes any form of communication. In IP networks, all data transmits via Ethernet
frames or IP packets contained in those frames, so the better term is packet analyzer
(Figure 4-24). Yet another term you’ll hear many folks in the IT industry use is packet
sniffer (or just sniffer).
If something is going to analyze packets, it is first going to need, well, packets! It needs
some program that can put a NIC into promiscuous mode so that the NIC grabs every
packet it sees. This frame/packet grabber program needs to monitor or sniff the wired
or wireless network and start grabbing the frames/packets. So, a packet analyzer is really
two totally separate functions: a packet sniffer that captures the frames/packets, and the
packet analyzer that replays the collected packets and analyzes them (Figure 4-25).
This combination of sniffer and analyzer leads to a funny name issue. Any of the
following terms are perfectly interchangeable: packet analyzer, network sniffer, network
analyzer, and packet sniffer.
NOTE Different network technologies need different sniffers. If you want
to analyze a wired network, you need a wired sniffer. If you want to sniff a
wireless network, you need a wireless sniffer.
Figure 4-24
I’m a protocol
analyzer.
04-ch04.indd 246
I’m checking
these packets.
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-3: Protocol Analyzers
247
Figure 4-25
Sniffers and
analyzers
Thank you!
Here are your
packets!
Analyzer
Sniffer
Networks generate a huge number of packets. Even in a small home network, moving
a few files and watching a few videos generates hundreds of thousands of packets. A good
analyzer needs two features. First, it must provide some type of interface that allows the
security professional a way to inspect packets. Second, it must provide powerful sorting
and filtering tools to let you look at the packets that interest you while eliminating the
ones you do not want to see.
Why Protocol Analyze?
Collecting and analyzing data via a protocol analyzer enables you to perform wildly
detailed analyses. A protocol analyzer enables security professionals to access and use data
sources to support an investigation in case of an incident. The protocol analyzer output—
the data source—can provide critical information.
A protocol analyzer can reveal all sorts of information, providing huge benefits to the
security of your network. Here are six examples:
• Count all the packets coming through over a certain time period to get a strong
idea as to your network utilization.
• Inspect the packets for single protocols to verify they are working properly
(of course, this means you must know how these protocols work in detail).
• Monitor communication between a client and a server to look for problems in
the communication.
• Look for servers that aren’t authorized on the network.
• Find systems broadcasting bad data.
• Find problems in authentication by watching each step of the process in detail.
NOTE Protocol analyzers require skilled operators with a firm grasp of
TCP/IP protocols. The more a tech understands protocols, the more useful
a protocol analyzer will be.
04-ch04.indd 247
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
248
You can find quite a few protocol analyzers today, but the CompTIA Security+ exam
focuses on two very good protocol analyzers: Wireshark and tcpdump. Both tools enable
packet capture and replay. You can get some great work done without detailed knowledge
of either tool, but in the hands of a skilled professional who understands both the tool and
TCP/IP, a protocol analyzer can answer almost any question that arises in any network.
The CompTIA Security+ exam isn’t going to ask detailed questions about protocol
analyzers, so we’ll only cover a few of the more basic aspects of these tools. But like Nmap
from the previous module, it would behoove you to make an investment in learning and
using one or the other of these amazing tools.
Wireshark
Wireshark is the Grand Old Man of packet analyzers, originally developed in 1998 by
Gerald Combs as Ethereal. In 2006, Ethereal was forked from the original development
team and renamed Wireshark. Wireshark may be old, but it has an amazing development
team that keeps this venerable tool sharp with a huge number of updates.
Wireshark is not only powerful but completely free and works on all major operating
systems (and quite a few not so common ones as well). Its default GUI is so common that
even a few competing protocol analyzers copy it for theirs.
NOTE Some anti-malware programs will flag Wireshark. It’s stupid, but they
do. You might need to disable anti-malware to get results.
Let’s start with that interface, as shown in Figure 4-26. The interface has three main
panes. At the top is a list of all the frames currently captured. (Wireshark shows each
Figure 4-26 Wireshark main screen
04-ch04.indd 248
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-3: Protocol Analyzers
249
Figure 4-27 Selecting a network interface
Ethernet frame, a feature that few other protocol analyzers provide.) In the middle are
the gritty details of the frame currently selected in the top frame. At the bottom is the
raw frame data in hexadecimal.
Wireshark employs an application programming interface (API) to enable a NIC to
ingest all traffic passing by, rather than the default of only traffic intended for the box.
Wireshark uses the libpcap API in Linux or the WinPcap API on Windows systems.
You begin the process of using Wireshark by starting a capture. As shown in Figure 4-27,
Wireshark locates your network interfaces and gives you the opportunity to select which
interface you want to start capturing.
Once you start a capture, at some point you then stop the capture. From there you can
filter and sort the capture by source or destination IP address, source or destination port
number, protocol, or hundreds of other criteria. Wireshark has an expression builder to
help you with complex filters. In Figure 4-28 the expression builder is creating a filter for
a DHCP server response that is passing out the IP address 192.168.1.23.
NOTE You can use a filter on the incoming packets or you can just sniff
everything and filter afterward.
04-ch04.indd 249
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
250
Figure 4-28 Expression builder
Wireshark by default captures and analyzes packets in real time, so you can analyze
as things happen. Sometimes, on the other hand, you need to record data over a period
of time and then run tools for analysis for baselining or historical reference. Imagine a
situation in which a tech wants to capture all HTTP traffic between 12 a.m. and 4 a.m.
on a specific server. In this case, instead of running Wireshark all night, he or she will
turn to a capture-only tool such as TShark. TShark is a command-line tool that works
well with scripting and scheduling tools (Figure 4-29). TShark saves the capture in a
format called pcap that a tech can load into Wireshark the next day for analysis.
Figure 4-29 TShark in action
04-ch04.indd 250
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-3: Protocol Analyzers
251
Figure 4-30 tcpdump
tcpdump
As popular as Wireshark is, especially in Windows, many Linux/UNIX techs swear by
tcpdump. tcpdump predates Wireshark by almost a decade and was the only real protocol
analyzer option for Linux/UNIX until Wireshark was ported over in the very late 1990s
(Figure 4-30).
tcpdump is amazing at sniffing packets, but it can be time consuming to use as a
protocol analyzer, relying on complex command-line switches for sorting and filtering.
No worries! Plenty of graphical protocol analyzers, even Wireshark, run on Linux
(Figure 4-31).
Figure 4-31 Wireshark in Linux
04-ch04.indd 251
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
252
Module 4-4: Monitoring Networks
This module covers the following CompTIA Security+ objectives:
• 1.7 Summarize the techniques used in security assessments
• 4.3 Given an incident, utilize appropriate data sources to support
an investigation
Every organization with proper security includes continuous network monitoring to
recognize and address performance and security events. This monitoring manifests as
the collection of data from a wide variety of sources, one being the standard device
and system logs inherent to every operating system. The metadata from applications,
such as Microsoft Office 365, provides a great source, because it includes e-mail logs,
mobile device records, Web traffic, and file manipulation details. Another source is logs
from devices running protocols designed specifically for network monitoring, such as the
Simple Network Management Protocol (SNMP).
SNMP data collected for network monitoring includes intrusion detection/prevention
system alerts, firewall alerts and logs, and real-time network monitoring. Real-time
network monitoring involves protocol and traffic monitoring (also known as sniffing)
using a protocol analyzer, so that the data may be collected and stored for later analysis.
SNMP provides bandwidth monitoring in real time, enabling security professionals to
assess data in the face of an incident.
Similarly, the Cisco-based NetFlow and the more generic sFlow offer analytical tools
for security people by assessing the flow of IP traffic. Such tools are invaluable when an
incident occurs.
More complex systems rely on advanced monitoring tools such as a security information
and event management (SIEM) application that monitors log files—brought into the
monitoring tools using protocols like SNMP—to provide managers powerful, easy to
read and understand toolsets. These toolsets enable them to react to situations on their
network in real time (Figure 4-32).
Figure 4-32
A security event
04-ch04.indd 252
tW
Ϯ
KŚ͕ŶŽ͘dŚĂƚĐĂŶ͛ƚďĞŐŽŽĚ͊
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-4: Monitoring Networks
253
To understand the critical process of network monitoring, let’s begin by exploring
the many types of log files found on devices in a network. From there, we’ll see how these
files can be centralized for easier monitoring and then finish with a discussion on log file
management and analysis.
Exploring Log Files
Logs are databases, usually distinct files that record events on systems. You’ll most commonly hear them referenced as event logs, as in the case of Microsoft Windows operating
systems. Linux systems refer to them as syslogs, or system logs. Whatever the name, log
files are everywhere! You’d be hard-pressed to find a networking device or almost any
form of software that doesn’t make log files, or at least has the capability to create log files
as needed.
Operating systems also store log files in various locations and in various formats.
Security personnel often refer to these logs as security or audit trail, or sometimes as
audit log, because they provide information on events that are of a security interest.
Security logs audit access to a particular resource or system. Audit logs can record very
specific information about an event, to include user names, workstation or host names,
IP addresses, MAC addresses, the resource that was accessed, and the type of action
that occurred on the resource. This action could be something such as a file deletion or
creation; it also could be use of elevated or administrative privileges.
Very often, security personnel may audit when users with administrative privileges
create additional user accounts, for example, or change host configurations. Figure 4-33
shows an example of a Linux audit trail.
Visitor logs are resource-oriented and list all the different types of access that occur on
a resource (such as a shared folder, file, or other object). Most systems can produce visitor
logs for a specific resource, but often this must be configured on the resource itself to
generate those logs. You can use visitor logs that are not system-generated. For example,
you can have manually generated visitor logs for entrance into a facility or restricted area.
Security experts work hard to keep up with all the different log files available and use
them in the most efficient and reasonable way possible.
Log File Examples
Students of CompTIA Security+ reasonably ask what they need to know about log files
to pass the exam. It’s a fair question, but rarely do people like my answer: “You need to
know very little about log files other than what’s inside the log files themselves.” What
I’m trying to say is that if you think about what a log records, then you should have
a good feel about the types of data stored in that log file. Luckily for students of the
SY0-601 exam, CompTIA has specific types of log files for consideration, all listed prettily under objective 4.3! Let’s run down that list.
Network It you have a device or a piece of software that deals with networking, then
you almost certainly have some kind of network log. A network log varies by the type of
device using the network. A router might have a network log that tracks the number
of connections per hour on every route. A switch might record packets per seconds for
VLANs. On an individual host, you might log the usage of a particular NIC.
04-ch04.indd 253
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
254
Figure 4-33 An example of a Linux audit trail log file
System A system log file records issues that directly affect a single system but aren’t
network functions. System log files will show reboots, executable files starting, and edited
files on the system, for example.
Application An application may have its own log file. What appears in this application
log file requires some knowledge of the application that is using the log. Probably one
of the most common application logs is for a Web server. Web server software is an
application to share Web pages. In this case, since we know what Web servers do, we can
assume the Web log keeps track of the number of pages served per hour/minute, perhaps
even a listing of the different IP addresses asking for the Web page, or maybe the number
of malformed HTTPS packets.
Security Both systems and applications typically include security logs that record
activities that potentially impact security. Security logs might track all successful and/or
unsuccessful logon attempts. They track the creation or deletion of new users and also
keep track of any permission changes to resources within the system or application.
04-ch04.indd 254
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-4: Monitoring Networks
255
DNS Any good DNS server is going to keep a log. DNS logs are application logs that
keep track of things appropriate to a DNS server application. DNS logs typically include
entries for activities such as the creation of new forward lookup zones, cache updates/
clearing, and changes to critical settings like root server.
Authentication An authentication log is a special type of security log that tracks
nothing other than users attempting to log onto a system. This includes tracking failed
logons as well as successful logons.
Dump Files On some operating systems, a dump file is generated when an executable
program crashes. These dump files record memory locations, running processes, and
threads. Dump files are almost always used exclusively by the developers of the executable
file that needs . . . dumping.
VoIP and Call Managers Voice over IP (VoIP) and call manager software solutions create
logs that store information about the calls themselves. Phone numbers and duration of
calls are the two most common items logged, but items from other VoIP tools such as
billing might also be included.
Session Initiation Protocol Traffic Session Initial Protocol (SIP) traffic is usually a
subset of VoIP traffic but exclusive to the SIP protocol. In this case, a SIP traffic log tracks
where the IP address to/from is logged as well as any details about the call itself.
Windows Log Tools
Every Windows systems contains the venerable Event Viewer as the go-to log observation tool. Event Viewer contains a number of preset logs (notice the System logs folder
in Figure 4-34). You can create new logs here or in the local security policy application.
Figure 4-34 Event Viewer
04-ch04.indd 255
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
256
Figure 4-35 Linux journalctl log viewer
Linux Logs
Linux loves to make log files, dedicating an entire folder to nothing but all the logs you’ll
ever need. In most distros, this folder is called /var/log. Log files end with a .log extension
and, unlike in Windows, there is no single log viewing app. You can add various GUI log
readers, such as LOGalyze or glogg.
The go-to log viewer on most Linux systems, journalctl, displays all logs in a system
in a single format. journalctl also takes all the common Linux terminal arguments.
Figure 4-35 shows journalctl using grep commands to filter on the term “warn.”
Linux logs are almost as simple as Windows logs in that there’s basically a single source
for all your log needs: syslog. OK, that’s not exactly true, as syslog is over 30 years old and
has been supplanted by two improved syslog versions: rsyslog, which came out in the late
1990s and is basically just an improved syslog, and syslog-ng, which is an object-oriented
version of syslog. Right now syslog is probably the most popular version of these three
syslog-like tools, but deciding which tool is best is really up to the individual user, as
syslog, rsyslog, and syslog-ng all have their fans and detractors. In most cases, you’ll end
up using the form of syslog that works best for whatever system you want to use. (See the
upcoming “Centralizing Log Files” section.)
The one good thing about all versions of syslog is their superb standardized format for
all log entries. This format is considered the standard for all log files. Even Windows log
files can manifest in this format.
NOTE If you need to add a notation to syslog, use the logger command,
discussed back in Module 4-1. It creates a single entry, properly timestamped,
that users can access later. It’s an excellent way to make inline documentation
for any log file.
Device Logs
Every enterprise-level (and many SOHO-level) devices come with some form of logging
built into them. In most cases, you just need to log onto that device (often a Web interface) to see the logs on that device in action. Figure 4-36 shows one example of these logs
on a home router.
The challenge to using these log files is that you have to access the device every time
you want to see what’s happening on that system. A better solution is where multiple
devices send log files to a central source that can, in turn, analyze that information.
04-ch04.indd 256
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-4: Monitoring Networks
257
Figure 4-36 Home router log file
Then that centralized analysis can display what’s happening on the network in a way that
administrators can react to the needs of the network. To do that requires centralization of
far-flung log files into a single source.
Centralizing Log Files
The idea of gathering log files from disparate hosts within a network and placing them
in a central location for storage and analysis isn’t a new idea. Many tools and protocols
help you accomplish exactly this task. Let’s start by organizing some of the major players
out there for centralization and eventually lead to the Holy Grail of network monitoring,
SIEM.
syslog
syslog and its alternative forms are more than just log tools. syslog is a complete protocol
for the transmission and storage of Linux logs into a single syslog server, configured by
the network administrators. Once all the files are stored in a single location, we can use
tools such as journalctl to monitor the entire network.
NOTE Can you imagine using syslog to combine log files from all over a
network? Imagine the complexity of just trying to read, analyze, and store
these files. This is a big shortcoming of syslog and the reason we use other
tools on top of syslog to do the big-picture jobs of network monitoring.
Keep reading!
04-ch04.indd 257
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
258
SNMP
The Simple Network Management Protocol (SNMP) enables proactive monitoring of network hosts in real time. Among other things, SNMP is a bandwidth monitor, providing
up-to-the-second information for network administrators. This real-time information
can provide critical data sources to support investigations in the face of an incident.
Devices that use SNMP have a small piece of software known as an agent installed on
them, and this agent can report certain types of data back to a centralized monitoring
server. This agent is configured with a Management Information Base (MIB), which is a
very specific set of configuration items tailored for the device. Using the MIB, the agent
can relay very specific event information to a centralized console in real time. These events
are known as traps and are essentially specific events configured with certain thresholds.
If a configured threshold is reached for a particular event, the trap is triggered and the
notification or alert is sent to the management console.
These traps and messages can let an administrator know about the device status and
health. In other words, the administrator could get information on when the device
is up or down, whether its hardware is functioning properly or not, if its memory or
CPU use is too high, and other interesting details about the device. In some cases, these
trap messages could indicate an active attack against the device or some other type of
unauthorized access or misuse.
NOTE
Chapter 8 covers SNMP security in more detail.
NetFlow/sFlow
The Cisco-based NetFlow utility provides real-time information about all the IP traffic
in a system. sFlow provides similar information, but, unlike NetFlow, runs in hardware.
NetFlow is a software implementation. Numerous switch and router manufacturers
deploy sFlow chips/technology, so it is not limited to Cisco hardware.
In concept, a flow represents the movement of an IP packet through a network. By
monitoring such information, NetFlow/sFlow can pick up very quickly when patterns
diverge from what would be considered normal traffic. Flow information is stored in logs
or flow caches that the tools can analyze.
Spawned from NetFlow version 9, Internet Protocol Flow Information Export (IPFIX)
provides more flexibility in the types of information that can be combined and saved
for analysis, such as mail records, HTTP URL information, SIP data, and more. IPFIX
is an Internet Engineering Task Force (IETF) specification (RFC 7011), is backwardly
compatible to NetFlow v9, and is widely adopted in the industry.
EXAM TIP CompTIA uses title case for NetFlow, so Netflow. Cisco uses camel
case, so that’s what we use too.
04-ch04.indd 258
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-4: Monitoring Networks
259
NXLog
NXLog is one example of many solutions out there that provide centralized log monitoring. NXLog is cross platform and takes advantage of darn near every and any protocol
out there (including syslog and SNMP) to bring log data together. On Linux systems,
NXLog reads from both a local system’s syslog and NXLog’s installed daemon. On Windows, NXLog runs its own agent and also uses SNMP.
NXLog is a powerful logging tool, but it is not designed to provide pretty desktops or
to analyze the log data. NXLog is ready and able to give this log data to those types of
systems, but that means we need to start talking about SIEM.
Security Information and Event Management
The traditional way to manage logging and monitoring in a network was to sit down at
a system and look at the log files generated by the system, reviewing them for the events
of interest. This is not the most efficient way to manage network monitoring and analysis
activities.
Almost every organization now uses security information and event management (SIEM),
an enterprise-level technology and infrastructure that collects data points from every host
on the network, including log files, traffic captures, SNMP messages, and so on. SIEM
can collect all this data into one centralized location and correlate it for analysis to look
for security and performance issues, as well as negative trends, all in real time.
NOTE SIEM is pronounced “sim” most frequently, not “seem” or “see-em.”
For clarity, network professionals can simply enunciate the initials.
Note that although SIEM requires real-time monitoring technologies, just because
you’re using some of these real-time technologies doesn’t necessarily mean you are using
SIEM. SIEM unifies and correlates all the real-time events from a multitude of disparate
sources, including network alerts, log files, physical security logs, and so on. You could
still have real-time monitoring going on, but without combining and correlating all those
different event sources. A true unified SIEM system is required to do that.
SIEM Infrastructure
SIEM isn’t a law or a standard. It’s an integrated approach to monitoring networks
that enables security professionals to react on a timely basis to incidents. SIEM systems
employ certain components, discrete or combined with others, but you can count on the
following:
•
•
•
•
04-ch04.indd 259
Sensors/collectors
Server
Analyzers
Dashboard
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
260
Sensors/Collectors All SIEM solutions rely on sensors/collectors to acquire data about
the network. These collectors manifest as special software running on a Windows system,
an SNMP connection to a switch, or perhaps a third-party tool like NXLog providing
information from a gateway router. Whatever the case, these devices must work together
to bring the data into a single source, a SIEM server.
Server A SIEM server stores all the data coming in from multiple collectors. A single
SIEM server might be a subserver that in turn reports to a main SIEM server.
Analyzers Analyzers take data from SIEM servers and, using a myriad of tools, look
at the data to try to locate signatures of something that an organization would consider
an incident.
Dashboard A SIEM dashboard presents the analyzed data in a way that makes sense
to those monitoring the data and informs them of incidents taking place. Most SIEM
dashboards provide graphs and counters. Figure 4-37 shows one style of dashboard from
Elastic Cloud, a popular SIEM solution available today.
A good SIEM dashboard provides security monitoring—tools for watching and
recording what’s happening on your network. Beyond that, though, you can count on a
SIEM dashboard to supply the following information:
• Sensor list/sensor warning If an incident is taking place at a certain point,
which sensor is giving that information? The sensor list or sensor warning
provides that information.
• Alerts Alerts enable the SIEM dashboard to inform the person(s) monitoring
of a potential incident. This can be a warning ribbon at the bottom of the screen,
an audible alarm, or a log entry shown in red.
• Sensitivity How sensitive is a certain setting that might detect an incident? Too
high and you’ll get false positives. Too low and you’ll get false negatives.
• Trends Certain incidents make more sense when seen as a trend as opposed
to an alert. Network usage is one good example. Techs can watch usage grow on
a chat and consider those implications, as opposed to just getting some alert.
Anyone who owns an automobile with an oil pressure gauge instead of an idiot
light knows this feeling.
• Correlation A good dashboard will recognize relationships between alerts and
trends and in some way inform the person(s) monitoring of that correlation. This
is often presented as line graphs with multiple data fields.
SIEM Process
The SIEM process closely maps to the infrastructure. Let’s discuss some of the more
important parts of this process as data goes through a typical SIEM infrastructure.
Data Inputs SIEM solutions grab data from many different sources. Most SIEM
solutions use log collectors—tools for recording network events—and SNMP inputs, of
course, but many go far beyond those sources. For example, it’s not uncommon for a
04-ch04.indd 260
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Module 4-4: Monitoring Networks
261
Figure 4-37 Elastic Cloud dashboard
SIEM solution to employ agents that perform packet capture for situations where that
might be needed.
Log Aggregation SIEM servers can’t just have data dumped on them. First, data needs
to be normalized, to regularize the same type of data among multiple logs. One great
example of this is log aggregation. What if one log stores all source IP address information
as “SRC_IP” while another log stores the same data as “Source”? Proper log aggregation
will make the data output under a single label. Another example is too much data. Does
the server need to store every IP packet going through a switch if all it really needs to
know is the number of packets per second?
04-ch04.indd 261
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
262
Analysis SIEM analysis is a massive topic, but CompTIA only wants you to consider
two types of analyses, user behavior analysis and sentiment analysis. User behavior analysis,
as the name implies, considers how users behave on a network. Does Maria always log
onto the same machine every day? Does Mario add new users to his department within
a day after they are hired? When users move outside their anticipated behaviors, that
may be indicative of trouble. Sentiment analysis tries to parse actual language used to
determine the meaning behind that use. The system monitors things like publications for
negative sentiment to determine intentions of a threat group, for example.
Review Reports No SIEM system is perfect. Review reports detail the results of
examining the success rate of a SIEM system over a certain timeframe. These review
reports tell the administrators of the SIEM system where they need to improve.
Log File Management
Log management refers to the logistics of managing all the device logs in a network. In
addition to reviewing log files on a periodic basis, you’ll need to consider a few other
aspects of log management. First, you should decide how long to keep log files, since they
take up a lot of space and may not exactly contain a lot of relevant information—unless
you need to look at a specific event. Sometimes governance, including regulations and
other legal requirements, may require you to keep system log files for a certain amount
of time, so log management is also concerned with retention of archived log files for a
defined period.
Secure storage, retention, and retrieval of archived logs are required simply because
log files can contain sensitive information about systems and networks, as well as other
types of sensitive data. You must ensure that only personnel authorized to view log files
have access to them and protect those log files from unauthorized access or modification.
You must also be able to retrieve the log files from storage in the event of an investigation
or legal action against your organization, as well as comply with audit requirements
imposed by law. Log management applies to all of these things, and effective policy
regarding managing the logs in the organization should address all these issues.
Security professionals look for particular types of information on a routine basis, and
thus should configure logging to provide only that pertinent information. This helps
to find the relevant information and eliminate the massive amounts of unnecessary
information. For event-specific information, such as a major performance issue, an
outage, or even a significant security event, a lot more information may be needed during
those specific circumstances only. In such a case, security professionals may temporarily
configure logging to provide far more detailed information. Getting that level of detail on
a routine basis, however, would likely make logs unmanageable and limit their usefulness.
For example, let’s say that you are monitoring a potential hacking attempt. You may
change the audit level of your network devices or internal hosts to include more detailed
information on processes, threads, and interactions with lower-level hardware. This level
of detail can produce a vast amount of logs very quickly, which can fill up device storage
and be very unwieldy to examine. Because of this, you’d want to enable this level of
logging only for a short while, just long enough to get the information you need. After
that, you’d want to reduce the logging level back to normal.
04-ch04.indd 262
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Questions
263
Questions
1. What does nslookup do?
A. Retrieves the name space for the network
B. Queries DNS for the IP address of the supplied host name
C. Performs an ARP lookup
D. Lists the current running network services on localhost
2. What is Wireshark?
A. Protocol analyzer
B. Packet sniffer
C. Packet analyzer
D. All of the above
3. One of your users calls you with a complaint that he can’t reach the site www
.google.com. You try and access the site and discover you can’t connect either but
you can ping the site with its IP address. What is the most probable culprit?
A. The workgroup switch is down.
B. Google is down.
C. The gateway is down.
D. The DNS server is down.
4. What command do you use to see the DNS cache on a Windows system?
A. ping /showdns
B. ipconfig /showdns
C. ipconfig /displaydns
D. ping /displaydns
5. Which of the following tools enables you to log into and control a remote
system securely?
A. ipconfig
B. remoteconfig
C. rlogin
D. SSH
6. Which protocol do tools use to enable proactive monitoring of network hosts in
real time?
A. ipconfig
B. nslookup
C. SNMP
D. SSH
04-ch04.indd 263
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Chapter 4: Tools of the Trade
264
7. The Windows tracert tool fails sometimes because many routers block
__________ packets.
A. ping
B. TCP
C. UDP
D. ICMP
8. Which tools can you (and hackers) use to query LISTENING ports on your
network? (Choose three.)
A. Port scanner
B. Nmap
C. Angry IP Scanner
D. Hostname command
9. Which tool enables you to view the contents of a text file in Linux?
A. cat
B. dig
C. notepad
D. nslookup
10. Which of the following commands would change the permissions of the file
timmy.exe to read-only for all users but execute for the owner?
A. chmod 440 timmy.exe
B. chmod 664 timmy.exe
C. chmod 744 timmy.exe
D. chmod 777 timmy.exe
Answers
1. B. The nslookup command queries DNS and returns the IP address of the
supplied host name.
2. D. Wireshark can sniff and analyze all the network traffic that enters the
computer’s NIC.
3. D. In this case, the DNS system is probably at fault. By pinging the site with its
IP address, you have established that the site is up and your LAN and gateway are
functioning properly.
4. C. To see the DNS cache on a Windows system, run the ipconfig /displaydns
command at a command prompt.
04-ch04.indd 264
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 4
Answers
265
5. D. Use Secure Shell (SSH) to log in and control a remote system securely. rlogin
is an alternative to SSH, by the way, but lacks encryption.
6. C. The protocol for tools to do real-time network monitoring is SNMP.
7. D. The Windows tracert tool fails because it relies on ICMP packets that routers
commonly block.
8. A, B, C. The hostname command simply returns the host name of the local system.
All other tools mentioned can scan ports to locate network vulnerabilities.
9. A. The cat command enables you to view and combine text files in Linux.
10. C. Using the command chmod 744 timmy.exe sets the permission as rwxr--r-for the file. The owner has read, write, and execute permissions. The group and
others have only read permissions.
04-ch04.indd 265
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Blind Folio 266
This page intentionally left blank
04-ch04.indd 266
25/03/21 2:14 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
CHAPTER
Securing Individual
Systems
5
Adapt what is useful, reject what is useless, and add what is specifically your own.
—Bruce Lee
A typical security professional bandies about the term attack surface, meaning a cumulation of all the vulnerabilities for a specific infrastructure item. For a gateway router, for
example, the attack surface refers to every option that an attacker might use to compromise that router, from misconfiguration to physical damage or theft (Figure 5-1).
This chapter explores the attack surface of one of the most vulnerable parts of networks, the individual systems. An individual system for the purposes of this chapter is a
single computer running Windows, macOS, Linux/UNIX, or Chrome OS, in use every
day. This includes desktops, laptops, servers, and workstations. It also includes mobile
devices, but only to a lesser degree. We’ll see more of those systems in later chapters.
The typical individual system on a network has hardware, software, connections, and
applications, all of which are vulnerable to attack. The chapter first examines some of the
more common attack methods, building on concepts that you learned in earlier chapters.
This follows with an extensive discussion of the effects malware can have. Module 5-3
examines system resiliency options and methods. Subsequent modules explore different angles of individual system attack surfaces, from hardware to operating systems and
applications, including host-based firewalls and intrusion detection (Figure 5-2). The
chapter finishes with a brief discussion of ending the life of individual systems securely.
267
05-ch05.indd 267
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
268
Figure 5-1
An attack surface
We attack
here!
NOTE One attack surface variety this chapter does not cover is Internet
applications—that is, Web apps. While these applications certainly run on
individual server systems, local users on a LAN generally do not use those
systems. These applications have their own class of problems that warrant
their own chapter. We’ll go into Internet application attacks—and how to
stop them—in Chapter 11.
This chapter explores methods for securing individual systems in six modules:
•
•
•
•
•
•
Types of System Attacks
Malware
Cybersecurity Resilience
Securing Hardware
Securing Endpoints
System Recycling
Figure 5-2
We need to
protect systems.
05-ch05.indd 268
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-1: Types of System Attacks
269
Module 5-1: Types of System Attacks
This module covers the following CompTIA Security+ objectives:
• 1.3 Given a scenario, analyze potential indicators associated with
application attacks
• 1.4 Given a scenario, analyze potential indicators associated with
network attacks
• 1.6 Explain the security concerns associated with various types
of vulnerabilities
Any network is nothing more than a series of systems connected via fiber, copper, or
wireless connections. But a physical connection isn’t enough. To function on a network,
the system must possess the necessary hardware and software to connect to a LAN
and communicate via IP, sending and receiving properly formatted TCP/UDP/ICMP
segments/datagrams (lumped together here as TCP/IP packets).
To perform this, a system consists of four independent features: network-aware
applications, a network-aware operating system, a network stack to handle incoming
and outgoing packets, and proper drivers for the network interface. Collectively, these
features are the attack surface for an individual system.
NOTE Physical access to a system provides a rather robust attack surface,
although most of these topics fall outside the scope of CompTIA Security+.
Module 5-4 explores this further.
To understand the types of attacks unleashed on systems, let’s put all these features in
order, as shown in Figure 5-3. We can then explore how bad actors can take advantage of
vulnerabilities in each of these features to compromise individual systems.
Figure 5-3
Individual
systems’ attack
surfaces
Here are
attack surfaces
Application
Operating System
Network Stack
Drivers
05-ch05.indd 269
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
270
Attacking Applications
Applications contain their own unique set of vulnerabilities, but the impact of the vulnerabilities often remains, such as taking control of the application, shutting down the
application, and accessing data from the application. This section looks at several attack
surfaces for applications:
•
•
•
•
•
•
•
•
•
•
•
Race conditions
Improper input handling
Error handling
Memory/buffer vulnerabilities
Pointer/object dereference
Resource exhaustion
Weak encryption
DLL injection
API attacks
Privilege escalation
Services
NOTE Just about every application attack type listed starts with or interacts
with the operating system on which the application runs. This section could
have easily been titled “Exploiting Operating System Vulnerabilities to Attack
Applications,” but we went with the shorter title. You’ll see this interaction
between OS and apps throughout.
Race Conditions
Most applications take advantage of multitasking to run multiple processes/functions at
the same time. Sometimes the effect of two or more simultaneous transactions can result
in undesired results called a race condition. Race conditions manifest as counters, totals,
and other usually integer (whole number) values that simply don’t add up correctly, such
as when a program runs subroutine A and subroutine NOT A at the same time. Another
bug that can happen with a race condition is time-of-check to time-of-use (TOCTOU),
where exploits can happen between the program checking the state of something and
doing something about the results. Attackers can create or exploit race conditions. The
impact of race conditions varies from incorrect values in Web carts to system stops to
privilege escalation (see “Privilege Escalation” for more details on the last).
EXAM TIP The CompTIA Security+ objectives drop the hyphens and the “to”
for TOCTOU, so you’ll see the term on the exam as time of check/time of use.
05-ch05.indd 270
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-1: Types of System Attacks
271
Improper Input Handling
Programmers write software to take in and output data and results. That seems fairly
obvious from a user standpoint, whether it’s typing in Microsoft Word or changing data
in an Access database and seeing changes made appear on the screen. Programs also get
input from less visible sources and need to validate that input. A poorly written program—or a great program attacked by a clever attacker—can take in or handle improper
information. This improper input handling can lead to unauthorized access to data, unexpected or undesired commands executed on a Web server, and more.
NOTE Programmers write apps with certain expectations. Users provide
input, processors process, and the app provides output. Input validation
routines accept proper input and, in theory, reject improper input.
Unexpected input can wreak havoc, though, so app developers will hire folks
to throw all sorts of stuff at their app, just to see if it will break. That’s part
of the programming process. (You won’t be tested on this, but thought you
might like to know.)
Error Handling
What happens following an exception, an unexpected input or result, depends on how the
programmers anticipated error handling by the application. Attackers could exploit a weak
configuration or a bug in the code to do some serious damage. As a result of such vulnerabilities, some programs might crash, while others might reboot or restart. A more graceful response would send the application or server into a safe state that stops a bad actor
from continuing an attack or malformed packets from causing problems. A Web server
could restart in a maintenance mode, for example, so bad guys couldn’t keep manipulating it. The Web server could inform administrators that it has switched to the error/
maintenance mode. These would be good examples of error handling.
NOTE Programmers dance delicate steps with error handling and reporting.
Saving logs or error reports helps developers find and fix unexpected issues.
Too precise an error report, on the other hand, can tell an attacker exactly
what happened. That can lead the attacker to a new, more effective path,
and that’s not a good thing.
Memory/Buffer Vulnerabilities
All code uses memory to handle the active operation of that code. RAM may be cheap
these days, but applications must be programmed properly to be aware of the amount of
memory they’re using. The CompTIA Security+ objectives include three vulnerabilities
that are so closely related that it makes sense to treat them as a single issue:
• Memory leak
• Integer overflow
• Buffer overflow
05-ch05.indd 271
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
272
All three of these vulnerabilities describe some part of memory being filled beyond the
programmed capacity. A memory leak is a general issue where a single process begins to
ask for more and more memory from the system without ever releasing memory. Eventually, the system reaches a memory full state and stops working.
Integer overflows are when a value greater than an integer variable causes the application to stop working. The program might have a field that accepts whole numbers from
0–64,535, for example, and receive a number of 128,000. Ouch!
A buffer is a temporary storage area in memory to hold data, such as the results of a
form input. Buffers are fixed in size. If too much data gets into the buffer, causing unpredictable results, that’s a buffer overflow.
The impact of all these situations is similar in that the system will at best kick out an
error (that hopefully is well handled) and at worst cause a system lockup.
Pointer/Object Dereference
A pointer is an object used in most programming languages that “points to” another value
in memory. Unlike a variable, a pointer references a memory location. When a pointer
accesses the stored value, this is known as pointer/object dereference. If a bad actor can get
a pointer to point incorrectly, a dereference can cause havoc to the code. If the bad actor
can get a pointer to point to no memory location—a null pointer dereference—this can
cause some very negative results. The impact of this vulnerability mirrors the impacts of
previously discussed vulnerabilities, such as crashes, freezes, reboots, and worse.
Resource Exhaustion
Resource exhaustion isn’t a vulnerability itself but rather the result of an attack that takes
advantage of one or more of the memory-specific vulnerabilities previously described to
bring down the system. Another example is sending malformed packets to a system, such
as bad pings, that cause the server to churn so hard that it becomes inoperable. Resource
exhaustion is the basis for denial-of-service (DoS) attacks that seek to make resources
(servers, services, and so on) unavailable for legitimate users. (We’ll see more on DoS and
related attacks in Chapter 8.)
Weak Encryption
Securing any app is an ongoing battle between the good guys keeping encryption strong
versus bad guys working to crack that encryption. One of the most obvious examples of
this ongoing battle is in wireless networking. When Wi-Fi first arrived, WEP for security
was fine-ish, but it was quickly cracked. Weak configurations and, in this case, weak
encryption exposed wireless users to vulnerabilities. The industry came out with WPA,
then WPA2, and then WPA3, trying to stay ahead of the bad guys. You’ll remember all
this from your CompTIA A+ and Network+ studies. The same vulnerabilities apply to
every type of encryption used in modern networks.
NOTE Many people will argue that WEP wasn’t/isn’t an encryption standard.
As its name implies, Wired Equivalent Privacy was intended to provide
security and confidentiality as good as a wired network. We get it.
05-ch05.indd 272
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-1: Types of System Attacks
273
Part of the struggle faced by developers is maintaining backward compatibility with
older encryption standards while supporting newer, more secure encryption standards.
A typical Web server can support 10–20 different types of encryption to enable different
clients to connect and do business securely. A clever bad actor can take advantage of this
by requesting the weakest type of encryption from a Web server in the hopes of getting
something easily crackable. Organizations need to update and patch operating systems,
firmware, and applications regularly just to keep up with the bad guys. You’ll see this
evolution and battle as we discuss encryption implementations in subsequent chapters.
NOTE The Padding Oracle On Downgraded Legacy Encryption (POODLE)
attack from a few years back offers a stark example of clever attacks like the
one listed above. Attackers used exploits to make apps drop from TLS to
SSL security and then took advantage of known vulnerabilities of SSL to get
information. We’ll look at more attacks like this in Chapter 6.
DLL Injection
A dynamic-link library (DLL) is a file used in Windows systems that provides support
code to executable files. Every Windows system has hundreds of DLLs, most commonly
stored in the \Windows\System32 folder (Figure 5-4). Most applications provide their
own DLLs as well. DLLs help reduce code size and speed up processing.
Figure 5-4 Just a few of the DLLs on Mike’s laptop
05-ch05.indd 273
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
274
DLL injection is a technique used by bad actors to get users to run malicious code. The
code runs in the address space of another process and loads a malicious DLL. Once the
DLL runs, all the usual impacts come into play: system control is one of the most common, used to zombify systems for distributed denial-of-service (DDoS) attacks—where
attackers use many systems to hammer a server to try to shut it down. (See Chapter 8 for
more details about DDoS and related attacks.)
NOTE Injection-style attacks don’t stop with DLLs. You’ll see them
again with SQL, XML, and more in Module 11-3. (I see you trembling
with anticipation!)
API Attacks
No program is an island. When you fire up Microsoft Word, for example, you’re actually
starting a program called winword.exe. The winword.exe executable acts as an orchestra
conductor, automatically opening dozens or hundreds of other executables and DLLs
as needed to enable Word to open and close files, to spell check, to access files across a
network, and more. Interconnecting applications requires functions and procedures—
programming—that can bridge the gap to, in effect, translate from one application to the
other. These helper/translator applications are called application programming interfaces
(APIs). Like most things in computing, APIs started with little to no security. This has
changed over time and version updates.
Bad actors look for unpatched or earlier versions of APIs in use to take advantage of
discovered weaknesses and perform an API attack. If you have software of any form, that
software uses one or more APIs, and at some time or other, bad guys have figured out
ways to take advantage of that software. Web browsers, for example, interact with APIs
on Web servers. Bad actors exploit weaknesses in these APIs to intercept data, disrupt
systems, take down systems, and so forth.
Privilege Escalation
Privilege escalation, the process of accessing a system at a lower authentication level and
upgrading (escalating) authentication to a more privileged level, presents attack opportunities against applications. All of the common operating systems require every user and
every process accessing the system to go through some form of authentication/authorization procedure. If an attacker can access a system using a low-level access account such as
public, everyone, or guest, he or she may find a bug that gets him or her to the highest
access levels (root, administrator, etc.).
NOTE A service account, unlike an account used by people (guest, user,
root), is used by some process running on the system that needs access to
resources. The nature of service accounts prevents typical authentication
methods because they lack anyone to type in a password. This makes service
accounts a prime target for attacks. Over the years hundreds of well-known
exploits have used service account privilege escalation as an attack surface.
05-ch05.indd 274
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-1: Types of System Attacks
275
Operating systems are designed to prevent privilege escalation. Attackers need to find
some type of bug, sometimes even through an application running on the operating system, that gives them higher privilege. Alternatively, attackers can find an alternative login
that may not have a higher privilege but might give access to something that lets them do
what they need to do. If an attacker wants to access a printer, he doesn’t need root access,
just some account that has access to that printer.
NOTE Well-patched operating systems are extremely resilient to
privilege escalation.
Services
Operating system services provide an attack surface for bad actors to attack applications.
For a Windows-centric person, a service is any process that works without any interface
to the Windows Desktop. You can access all running Windows services using the aptly
named Services app (Figure 5-5).
Attacking a Windows service is pretty much the same as attacking an application.
Attackers can use man-in-the middle attacks if possible, or they can use privilege escalation if they can find an exploit.
Figure 5-5 Services in Windows
05-ch05.indd 275
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
276
Figure 5-6 Internet services
NOTE The CompTIA Security+ objectives version 3 changed man-in-themiddle attacks to on-path attacks. We’ll discuss these sorts of attacks in
much more detail in Chapters 6 and 11.
A more Internet-centric person would define services as processes that listen on a
TCP/UDP port to provide some sort of (again aptly named) service. In Windows, you
can see TCP/IP services, including the process providing that service, using netstat –a –b
(Figure 5-6).
Linux users don’t have this confusion. A Linux service is only a process listening on
a TCP/UDP port. Linux does not separate processes that interface to the desktop from
those that do not. There is no Linux equivalent to Windows’ Services app.
Driver Manipulation
Every piece of hardware on a computer (with the exception of RAM) communicates
with the operating system via device drivers. Attackers either can send communications
to device drivers to make them do things they were never supposed to do, or can replace
the device drivers with corrupted device drivers to gain privilege escalation or launch
spoofing attacks.
05-ch05.indd 276
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-1: Types of System Attacks
277
There are two attack surfaces to manipulate device drivers to do malicious things,
driver refactoring and driver shimming. Neither attack surface is unique to device
drivers—both are present in any type of code—but they are the two best ways to attack
an individual system via its device drivers.
Refactoring
Programming is all about inputs and outputs. A piece of code takes input and, based
on that input, does some type of output. For software developers, refactoring means to
rewrite the internals of a piece of code without changing the way it reacts to input or how
it performs output.
The many device drivers that talk to system hardware are certainly code. Hardware
manufacturers always want to make their drivers faster and smaller, so refactoring is a
common feature with device drivers.
Refactoring can have a slightly different, malevolent definition. Refactoring can mean
to reprogram a device driver’s internals so that the device driver responds to all of the
normal inputs and generates all the regular outputs, but also generates malicious output.
A refactored printer driver that works perfectly but also sends all print jobs to an evil
remote server is an example of this other type of refactoring.
EXAM TIP Every operating system provides a method of driver signing that
is designed to prevent refactoring attacks on device drivers.
Shimming
Refactoring was a very common attack for many years, but today all operating systems
use driver signing that confirms the exact driver files used. The operating system detects
any changes and deals with them in one way or another, so replacing a device driver’s files
isn’t as easy as it used to be. To get around this issue as an attacker, instead of replacing
a signed file (or files), why not just throw another file or two (with the extra evil code)
into the system?
A shim is a library that responds to inputs that the original device driver isn’t designed
to handle. Inserting an unauthorized shim, called shimming or a shim attack, is more
common than refactoring because it does not require replacing an actual file—it merely
relies on listening for inputs that the original device driver isn’t written to hear.
Malicious Code or Script Execution
Modern computing systems are filled with tools to enable properly written code or scripts
to do all kinds of powerful actions to the operating system or applications. CompTIA’s
Security+ objective 1.4 lists the following: two shells, PowerShell and Bash; one compiled
general-purpose language, Visual Basic for Applications (VBA); one interpreted generalpurpose scripting language, Python; and the word “macros” (a lovely generic term that
the author assumes CompTIA uses to refer to the combination and automation of commands built into an application like Microsoft Excel).
05-ch05.indd 277
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
278
PowerShell
Python
Bash
Macros
VBA
Figure 5-7 We’re totally different, but we can do the same jobs!
These five things are very different in what they do, where they work, and how they’re
used. Yet collectively these five shells/languages/macros provide virtually identical tools
to write amazing code to get work done (Figure 5-7).
NOTE I don’t want to enumerate these five shells/languages/macros every
time they come up, so let’s have a little fun and invent a term, just for this
one small section: PPBMV (PowerShell, Python, Bash, Macros, Visual Basic for
Applications). Once we’re done here, feel free to forget it.
Let’s consider one example, changing file permissions. Every single member of
PPBMV can change file permissions. PowerShell has the set-acl command to change
NTFS permissions. Bash and Python can just run a chmod. VBA and most macros in
Windows applications can change file permissions as well.
Changing file permissions is just one example of what PPBMV can do. These tools
can edit the registry (in Windows), change IP addresses or computer network names,
manipulate files; this list goes on and on. These capabilities enable PPBMV to do good
work, and we want PPBMV to have these features. But there’s a downside. Actions such
as changing file permissions is also a dangerous thing done maliciously. We provide security to systems by first limiting what PPBMV can do and second, by watching for indicators of compromise such as unauthorized changes in permissions. Don’t blame the tool;
blame the way it is used (Figure 5-8)!
Limiting what PPBMV can do is done on a platform-by-platform basis. You can
enable features such as execution policies and Constrained Language mode to limit
what PowerShell can do, for example. You can isolate PPMBV on hosts with host-based
firewalls. You can even completely delete these tools from your host unless they are
needed. The trick here is understanding the power of PPBMV and doing your best to
limit that power unless you need it.
05-ch05.indd 278
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-2: Malware
279
Figure 5-8
Don’t blame
PPBMV, blame
the attacker
Do Evil !
Yessir !
VBA
Module 5-2: Malware
This module covers the following CompTIA Security+ objective:
• 1.2 Given a scenario, analyze potential indicators to determine the type
of attack
Programmers with evil intent write software that attacks systems to gain control, do
damage, or extract financial gain. This malicious software—malware—comes in many
forms, for evil programmers can be just as clever as good programmers. The CompTIA
Security+ exam will challenge you with scenario questions that expect you to recognize
the symptoms of certain types of malware. Let’s go through the following types and make
sure you’re aware of the differences:
•
•
•
•
•
•
•
•
•
•
•
05-ch05.indd 279
Virus
Cryptomalware/ransomware
Worm
Trojan horse
Potentially unwanted programs (adware, spyware, crapware)
Bots/botnet
Logic bomb
Keylogger
RAT
Rootkit
Backdoor
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
280
Each section explores the malware, then finishes with a description of the symptoms
and action(s) you should or could take to deal with an attack of that type. Some of the
fixes involve actions to ameliorate the problems; others just acknowledge the obvious and
recommend rebuilding and cutting your losses. Let’s take a look.
Virus
A virus is a piece of malicious software that must be propagated through a definite user
action. In other words, it normally cannot spread by itself. It requires a user to initiate,
in some way, the execution of the virus. Sometimes this action is very subtle, and the
unsuspecting user may not even know that his actions are executing a virus. For example, he may open an infected file or executable, spawning the virus. Normally, viruses
are propagated via download from malicious Internet sites, through removable storage
media (USB sticks, for example) passed along from person to person, or through the
transmission of infected files from computer to computer via e-mail or file sharing.
Viruses have a variety of effects on computers and applications. These effects range
from affecting performance by slowing down the system, filling up storage space, and
slowing down the host’s network connections, to more serious impacts, such as recording
passwords and other sensitive information, and rendering the host completely unusable
or even unbootable. Some viruses infect files, while others, usually more serious ones,
infect the boot sector of media. These boot-sector viruses automatically execute in the
computer’s memory when the host boots up; at that moment, there is no OS-based antivirus software loaded to detect or eradicate it, so it has already done its damage by the
time the OS loads. Usually, the only way to get rid of a boot-sector virus is to boot the
host off of a known good (meaning clean and free of malware) media, such as a new hard
drive, bootable optical disc, or a USB stick. The boot media should also have specialized
antivirus software loaded on it to detect and clean the infection.
A particularly vicious form of malware—called fileless malware (CompTIA calls it
fileless virus)—behaves in some ways like a virus, attacking and propagating, but differs
in one fundamental aspect. Fileless malware lives only in memory, not writing any part
of itself to mass storage. Fileless malware often uses tools built into the operating system, such as PowerShell in Windows, to attack that very system. Anti-malware software
struggles to identify, let alone mitigate, fileless malware.
You might have wondered why it seems so easy for hackers to create viruses that can
do so much damage; in fact, there are many programs on the Internet that help hackers
create viruses easily. Some require extensive programming skills, and others are simple
graphical programs that require almost no knowledge at all. Figure 5-9 gives an example
of one such program, TeraBIT Virus Maker, but there are hundreds more out there.
• Symptoms: System slowdown; some action against your system.
• Action: Use an anti-malware program from a live boot to clear the virus from
the system.
05-ch05.indd 280
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-2: Malware
281
Figure 5-9 TeraBIT Virus Maker, a virus creation program
Cryptomalware/Ransomware
Cryptomalware uses some form of encryption to lock a user out of a system. Once the
cryptomalware encrypts the computer, usually encrypting the boot drive, in most cases
the malware then forces the user to pay money to get the system decrypted, as shown in
Figure 5-10. When any form of malware makes you pay to get the malware to go away,
we call that malware ransomware. If a cryptomalware uses a ransom, we commonly call
it crypto-ransomware.
Crypto-ransomware is one of the most troublesome malwares today, first appearing
around 2012 and still going strong. Zero-day variations of cryptomalware, with names
such as CryptoWall or WannaCry, are often impossible to clean.
• Symptoms: System lockout; ransom screen with payment instructions.
• Action: Use anti-malware software from a live boot to clear the cryptomalware
from the system.
NOTE Most cryptomalware propagates via a Trojan horse. See the upcoming
“Trojan Horse” section for more information.
05-ch05.indd 281
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
282
Figure 5-10 CryptoWall, an infamous crypto-ransomware
Worm
A worm is much like a virus, in that it can cause disruptions to the host, slow down
systems, and cause other problems. However, a worm is spread very differently from a
virus. A worm is usually able to self-replicate and spread all over a network, often through
methods such as instant messaging, e-mail, and other types of network-based connections. The big difference between a virus and a worm is that a virus can’t spread itself; in
other words, a virus requires a user action to replicate and spread. A worm doesn’t have
this problem and can automatically replicate over an entire network with very little user
05-ch05.indd 282
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-2: Malware
283
intervention. This unfortunate characteristic of a worm is what causes it to be a significant problem in large networks. Examples of famous worm infections include MyDoom,
Blaster, and the Win32Conficker worm.
• Symptoms: System slowdown; unauthorized network activity; some action
against your system.
• Action: Use an anti-malware program from a live boot to clear the worm from
the system.
Trojan Horse
A Trojan horse isn’t really a type of malware; it’s more a method by which malware propagates. Named after the Greek Trojan Horse of mythological fame, a Trojan horse is a
piece of software that seems to be of value to the user. It could be in the form of a game,
utility, or other piece of useful software. It is malware, however, and serves a specific
function. Usually a Trojan horse has the goal of collecting personal information from a
user, including user credentials, financial information, and so on. It can also be used as
a generic container used to spread viruses and worms. (Note that symptoms and actions
will follow the payload type, so will vary a lot.)
EXAM TIP The CompTIA Security+ exam refers to Trojan horse malware as
simply “Trojans.”
Potentially Unwanted Programs
Although technically not malware, some programs installed on your computer have
negative or undesirable effects. Makers of the programs resented labels such as adware,
spyware, bloatware, crapware, and so on, and sued the anti-malware companies to stop
the use of such terms. For legal reasons, therefore, the industry adopted the term potentially unwanted programs (PUPs) as a blanket term for these programs that have negative
effects on your computer.
PUPs differ from malware because users consent to download them. That “consent”
typically is obtained through sneaky, deceitful, or underhanded means. Often the user
might seek to download a perfectly legitimate, useful application, but then clicks what
seems to be the download option, only to install some PUP instead.
Figure 5-11 shows a common bait-and-switch operation. Using a reputable thirdparty download site—CNET—I clicked the option to download CPU-Z (an excellent
system hardware reporting tool, by the way). Rather than the download starting immediately, I was kicked to the page in Figure 5-11. At the top of the page in fine print it
says “Your download will begin in a moment. If it doesn’t, restart the download.” Fine;
companies like CNET make money off ads. That’s just capitalism. But at the bottom of
the page, you see the giant “Start” button? Click that and you’ll install a nasty PUP, not
the desired utility program.
05-ch05.indd 283
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
284
Figure 5-11 Underhanded and sneaky ad trying to trick user into installing a PUP
Adware
Adware is the name given to annoying advertisements that come in the form of pop-up
messages in a user’s browser or on a user’s screen outside of a browser session. These messages usually want the user to visit a site, buy a product, or click the ad itself. At best,
these messages can be irritating, interrupting a user’s activities with the pop-up message,
but sometimes they are a real hindrance to productivity, often redirecting the user’s home
pages in the browser or spawning several (sometimes dozens to hundreds) of pop-ups or
Web sites at once.
Computers get adware infections pretty much the same way they get other types of
malware. The user may click a Web link or download something that changes browser or
other configuration settings on the host, resulting in the continuous stream of pop-ups.
Adware can even be included with purposefully downloaded, seemingly unrelated applications. Sometimes the user is asked to allow the installation of an add-in or browser
helper object (BHO) to view a certain file type or run a piece of browser-based software.
Most of the time, unsuspecting users will allow the installation by default, opening the
door to pop-ups, automatically spawned programs, and browser redirection.
• Symptoms: Unauthorized Web browser redirection; pop-up ads.
• Action: Use an anti-malware program from a live boot to clear the adware
off the system.
05-ch05.indd 284
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-2: Malware
285
Spyware
Spyware isn’t a type of malware; it’s more of a goal for some types of malware. Spyware
is a virus or Trojan horse in form, but we tend to classify spyware by its function rather
than type. Spyware is used for the specific purpose of surreptitiously observing a user’s
actions and recording them, as well as stealing sensitive data, such as passwords, credit
card information, and so forth. Spyware can send data back to the attacker, quietly of
course, so that the user can’t easily detect it. Spyware can also dump data into a file so an
attacker can later retrieve it directly from the system if she has physical access. Spyware
can affect hosts through various means, in usually the same way that other malware does.
NOTE The spyware aspect of a malware can take many forms. Look to the
specific payload type for all the malware symptoms and the actions you
should take to combat it.
Crapware
The rather derogatory term crapware describes software that purports to help users
accomplish tasks, but instead directs the users to sites that primarily benefit the software
developers. The most common of these programs are the free, additional toolbars that
install in Web browsers. These have built-in search and help features, but they don’t take
you to the excellent Google or Bing search tools. Instead, they send the unsuspecting user
to ad-filled mediocre search pages, track user searches, and more. Educate users not to
install these foul things!
Bots/Botnets
A botnet is a distributed type of malware attack that uses remotely controlled malware
that has infected several different computers. The idea is to create a large robot-like
network used to wage large-scale attacks on systems and networks. Once the malware is
installed on the host, the attacker can control hosts remotely and send malicious commands to them to be carried out. The hosts are called bots, or zombies, because they obey
only the orders of the attacker once the attack begins.
One of the common implementations of bots and botnets involves servers that control
the actions of the bots. These command and control (C2) protocols try to automate the
control, not requiring human interaction after the initial programming. See Chapter 8
for more details about C2 protocols, botnets, and the brutal attacks they can deliver, such
as DDoS attacks.
Among the different attack methods that botnets can use is sending massive amounts
of malware to different computers, sending large volumes of network traffic, and performing other methods designed to slow down or completely disable hosts and networks.
Botnet attacks can spread rapidly once activated and can be very difficult to counter.
05-ch05.indd 285
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
286
In fact, one of the attack methods used during an attack is to infect other hosts and have
them join the botnet:
• Symptoms: Usually undetectable until activated. System slowdown in some cases.
• Action: Use an anti-malware program from a live boot to clear the bot from
the system.
Logic Bomb
A logic bomb is often a script set to execute either at a specific time or if a certain event or
circumstance takes place on the system. It is designed to take malicious actions when it
executes. An example of a logic bomb is a script that has been written to begin erasing file
shares or disk storage at a certain time or date. Most logic bombs are timed to execute by
including them as a scheduled event using the operating system’s event scheduling facility, such as the AT command in Windows or the cron utility in Linux-based systems. A
logic bomb is not necessarily a form of malware—at least it’s not the kind that can easily
be detected by anti-malware software.
Logic bombs are usually planted by a malicious insider or a disgruntled administrator;
most of the logic bomb attacks recently sensationalized in the news media involved a
rogue administrator dissatisfied with an employer for whatever reason. Detecting a logic
bomb can be troublesome; it usually requires examining any files, utilities, and scheduled
jobs the malicious user had access to, as well as auditing the user’s actions and reviewing
the access logs that recorded any use of his privileges.
• Symptoms: Usually undetectable until activated. System damage, data loss.
• Action: Restore system from backups.
Keylogger
A keylogger is a piece of malware that records keystrokes. Most keyloggers store a certain
number of keystrokes and then send the stored keystrokes as a file to the bad actor.
Recorded keystrokes are one of the best ways to collect passwords, filenames, and other
highly personalized types of information. Keyloggers are not all evil. They are a very
common feature for parental control software. Figure 5-12 shows one example, Spyrix
Free Keylogger.
NOTE Keyloggers also manifest as malicious hardware dongles that sit
between your keyboard and your system.
Hardware keyloggers manifest as tiny USB adapters that fit between a keyboard USB
connector and the USB port on the system. They’re nondescript and do not show up
as system devices, so you won’t know they’re present without physical inspection. They
05-ch05.indd 286
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-2: Malware
287
Figure 5-12 Keylogger interface
come in a couple of varieties. Some have flash memory built in and require periodic
physical removal for scanning. Others transmit wirelessly to a receiving system.
• Symptoms: Often no symptoms at all. System slowdown; unauthorized
network activity.
• Action: Use anti-malware software from a live boot to remove the keylogger
software. Removing keylogger hardware requires suspecting such a device might
exist, finding it, and physically removing it from the system. Then smashing it
with a hammer.
RAT
RAT stands for one of two things. First, RAT stands for remote administration tool, which
is some form of software that gives remote access for administrators and IT support. We
use this kind of RAT all the time in IT to log into servers, remote cameras, Internet of
Things (IoT) devices (lightbulbs, thermostats, etc., connected to the network), and to
provide support for users all over local networks and the Internet.
Second, RAT also stands for remote access Trojan, which is a remote administration
tool maliciously installed as a Trojan horse to give a remote user some level of control
of the infected system. This can be as simple as just opening a Telnet server on the
infected system to full-blown, graphical remote desktops. RATs are often an important
part of a botnet.
• Symptoms: Usually undetectable until activated. System damage, data loss.
• Action: Restore system from backups.
05-ch05.indd 287
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
288
Rootkit
A rootkit is a piece of malware that attempts to infect critical operating system files on the
host. Often, anti-malware software cannot easily detect rootkits, so they can reside on the
system for quite a while before detection. Additionally, rootkits can thwart anti-malware
software because they can send false system information to it, preventing it from detecting and eradicating not only itself but other malware as well.
• Symptoms: Often no symptoms at all. System slowdown; unauthorized
network activity.
• Action: Although you can find anti-malware software that claims it can remove
a rootkit, always opt for the better solution: wipe the drive and reload.
Backdoor
A backdoor is an entry method into a piece of software (application or operating system)
that wasn’t intended to be used by normal users. Most backdoors are created as a maintenance entry point during software development, usually by the programmers creating the
software. These maintenance backdoors should be closed prior to software release, but
often they are either forgotten about or left open intentionally to bypass security mechanisms later after the software is released, either by the programmer or a malicious entity.
NOTE A few smartphones and other mobile devices manufactured in China
have been found to have backdoors.
Backdoors can also be created by hackers during an intrusion into a system; often
their goal is to have a way back into the system if their primary entry point is taken away
or secured. Again, backdoors usually bypass security mechanisms that normally require
identification and authorization, so this is a serious security issue. Vulnerability testing
can often detect these unauthorized entry points into a system, but sometimes more
in-depth testing methods, such as penetration testing or application fuzzing, may be
required to find them.
NOTE Like Trojan horses, a backdoor is a method of entry into a system, not
a malware type. Look for the specific payload type to determine symptoms
and actions you should take to protect or remediate.
Module 5-3: Cybersecurity Resilience
This module covers the following CompTIA Security+ objective:
• 2.5 Given a scenario, implement cybersecurity resilience
05-ch05.indd 288
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-3: Cybersecurity Resilience
289
Was that an
attack?
Figure 5-13
I rebuff your
pathetic
attempts!
Attack
tor
Vec
What if you could design a system such that even if successfully attacked, the system could in some way quickly (as in a matter of seconds) rebuild itself or, even better,
weather an attack without the attack being able to do any real damage? That’s the idea
behind cybersecurity resilience: adding technologies and processes that don’t stop attacks,
but enable the system to recover easily (Figure 5-13).
EXAM TIP Resilient systems don’t eliminate risk. That’s impossible! Resilient
systems fight off attacks more readily than systems with less resilience. They
handle risks better, in other words. The principles here apply to individual
systems and to larger “systems,” such as an enterprise network.
There are many ways to make systems more resilient, but it helps to organize these
methods into three main categories: non-persistence, redundancy, and diversity. Nonpersistence simply means to possess a method to bring a system back quickly to its preattack state. Redundancy means to have more than one of some functioning feature of a
system or even another complete system. Diversity refers to the practices of using a variety
of technologies, vendors, cryptographic systems, and controls to avoid the possibility
that all systems have the same vulnerability and can be taken out en masse.
Non-persistence
A typical individual system is persistent in that it has a fixed set of hardware, a fixed
operating system, and a fixed configuration. If you turn off a system and turn it back on,
you have the same hardware, the same operating system, and the same configuration. It
is persistent.
The downside to a persistent system is that if an attack takes place, that attack will
in some way change some aspect of that persistent state. The attack might wipe a hard
drive. It might inject evil device drivers. It might create privileged users you don’t want
on the OS. If any attack takes place, there’s a good chance you’ll have to go through some
painful recovery process. This might include reinstalling an operating system or rebuilding from backups. These are time-consuming processes and ones to avoid by using less
persistent systems.
05-ch05.indd 289
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
290
Achieving non-persistence means pursuing one of these options:
•
•
•
•
Virtualization/snapshots
Revert to known state
VMs and automation
Live boot media
Virtualization/Snapshots
There are many reasons virtualization has taken over the world of serving systems these
days. One reason is the ease of recovery by simply shutting down a virtual machine (VM)
and then restarting it without affecting any of the underlying hardware. But another feature, and the one that very much fits under the idea of non-persistence, is the snapshot.
A snapshot is the stored difference between the files in one version of a VM and the files
in another version. While the snapshot procedure varies from one virtualization platform
to another, imagine a perfectly functional VM where you change a single device driver,
only to discover over time that the device driver is buggy and keeps causing your VM to
crash. If this were a classic persistent system, you’d have to reinstall the device driver. If
you made a snapshot of the system before you installed the device driver, however, you
could simply revert to the earlier snapshot and bring the system back to its original function (Figure 5-14).
Snapshots are a critical non-persistence tool for VMs. Every time you change a driver,
update an application or service, patch a client OS, or take any other action that makes
any significant change to your VM, run a snapshot.
Revert to Known State
Every technician has made some change to an operating system, only to find that the
change he or she made is flawed in some way. A bad driver, a poorly distributed patch,
or an OS update that fails to perform the way the tech thought and causes problems can
Figure 5-14 Snapshots in VirtualBox
05-ch05.indd 290
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-3: Cybersecurity Resilience
291
Figure 5-15 Restore points in Windows
make the tech want to go back to the way things were before the change was made. If
you have a virtual system, you can easily erase such changes via a snapshot. On a fixed
traditional system, it’s not that easy.
Every major OS has some form of revert/rollback method to bring a system back to
a previous state, what the CompTIA Security+ objectives call revert to known state. All
revert/rollback methods work by making the OS aware of changes and then storing files
or settings in such a way that techs can look up previous states and tell the OS to go back
to one of those states.
Microsoft Windows enables you to create a restore point—a capture of the overall
operating system and drivers at that moment in time—that enable you to revert the
operating system to an earlier configuration (Figure 5-15). Windows restore points aren’t
perfect. They don’t save user information or installed applications; but other than those
two issues, restore points are very powerful.
Device drivers, especially video card drivers, often have unforeseen problems that
motivate a return to a previous driver version. Equally, a refactored device driver might
wreak havoc on an otherwise perfectly good system. Again, Windows has an elegant solution in the Roll Back Driver feature, as shown in Figure 5-16.
05-ch05.indd 291
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
292
Figure 5-16 Roll Back Driver in Windows
Apple macOS machines rely on Time Machine, a program that records snapshots of
the state of the computer over time to an external drive (Figure 5-17). If you support
Macs, establish Time Machine for every system.
Apple macOS doesn’t have a roll back driver feature similar to that in Windows for two
reasons. First, Apple checks all drivers much more aggressively than Microsoft; so bad,
refactored, or shimmed drivers almost never happen. Second, Time Machine supports
drivers as well, making a separate rollback feature unnecessary.
EXAM TIP Older Windows versions (such as Windows 7) offered a boot
feature called last known good configuration that enabled quick recovery
from installation of a buggy driver. The feature was especially useful with
buggy video card drivers. The inability to get into the Windows graphical
user interface made troubleshooting or uninstalling problematic. Windows
10 has much more powerful tools through Advanced Recovery options.
Not sure why CompTIA left last known-good configuration in the Security+
objectives, but now you know what it is.
05-ch05.indd 292
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-3: Cybersecurity Resilience
293
Figure 5-17 Time Machine in macOS
VMs and Automation
Many modern networks use virtualization technologies to provide both rollouts and
rollbacks of many systems all at once. With a master image—the desktop environment
for users of very specific hardware and configurations—a central server can push that
image to every local computer. Automation/scripting can make rollouts regular, such as
after patch Tuesday—and configuration validation (i.e., it works!)—so users always have
up-to-date builds. This kind of automated course of action helps keep systems current.
EXAM TIP You’ll see this aspect of VMs—the capability to push out multiple
identical copies—categorized as replication on the CompTIA Security+ exam.
Plus, master images enable network administrators to respond very quickly to problems. With continuous monitoring, as you’ll recall from Chapter 3, network administrators keep up with the reporting from network monitoring and managing tools. If a recent
rollout hits snags, the network techs can fix the master image and, with a manual rollout,
essentially “roll back” the problematic build. Similarly, if a new bug or attack causes problems, a fixed and validated master image can be quickly deployed.
05-ch05.indd 293
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
294
NOTE Virtual machine developers, like VMware, enable you to create a
template of a completed VM that you can use to create identical versions
of the VM. Templates provide excellent flexibility and rapid deployment of
additional servers as needed.
Live Boot Media
If you want the ultimate in non-persistence on a non-VM system, you can always use
some kind of live boot media. Live boot media are complete, installed operating systems
that exist on bootable media. The names change to match the media. On optical media,
for example, they’re called live CDs; for consistency, bootable flash-media drives should
be called live sticks (they’re not), but they’re usually just called bootable USB flash drives.
You boot a system to the live boot media and use the OS as configured. Your system
doesn’t even need a hard drive. Live boot media are very popular in Linux environments,
giving you an opportunity to try a Linux distro without installing it on your hard drive
(Figure 5-18).
Live boot media go way beyond test-driving Linux. You can easily install a carefully
configured system, say a DNS server, to a live boot and run the entire server in that fashion. As long as the serving system doesn’t need to store any persistent data (like a database
Figure 5-18 Live CD installation option in Linux
05-ch05.indd 294
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-3: Cybersecurity Resilience
295
Figure 5-19 Kali Linux downloads
that changes), you can run almost any OS/application combination from a live boot
media. One of the most popular live boots is Kali Linux, the go-to Linux distro, stuffed
full of many IT security tools (Figure 5-19).
Redundancy
Non-persistence provides excellent resiliency in most cases, but falls short in data storage
when there are big changes in the state of the stored data. Snapshots/reverts are wonderful for subtle changes in operating systems, such as a security patch or a driver update,
as they don’t require much mass storage space. They simply aren’t designed to deal with
big changes to data, such as customer databases, inventories, users’ file storage, and other
such data that requires a lot of hard drive space. Traditionally, this type of data is backed
up daily; in this situation, turn to redundancy to provide the system resiliency needed.
But where to apply redundancy? There are several options. You can create redundant mass storage, redundant systems (including their mass storage), even redundant
05-ch05.indd 295
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
296
networks (including all the systems and all their mass storage). You can create more than
one copy of non-OS critical data so that if one copy dies, another copy is ready to go to
keep the systems up and running. Redundancy is everywhere!
The Benefits of Redundancy
At first glance, it’s easy to look at redundancy as nothing more than a backup of storage,
systems, or even networks, but true redundancy is far more powerful. First is fault tolerance. With fault tolerance, the secondary storage, the system, and the network are online
and ready to go. If something goes wrong, the data on the storage or the services provided
by the system can have a minimal amount of disruption. Second, redundancy provides
high availability. High availably means using redundancy in such a way as to ensure that
certain levels of operational performance are balanced against risk. Third, you can work
on one of your services offline with minimal impact to your customers, whether that’s
adding capacity or repairing a component. Let’s look at the redundancy technologies that
provide both fault tolerance and high availability.
RAID
Redundant array of inexpensive disks (RAID) is a fault tolerance technology that spans data
across multiple hard disk drives or solid state drives within a server or workstation. This
level of fault tolerance specifically addresses hard drive failure and balances the need for
data redundancy with speed and performance. RAID uses multiple physical mass storage drives to create logical drives, usually making it transparent to users. Data is spanned
across the different physical drives, along with metadata (usually parity information), so
that if any one drive fails, the other drives in the RAID set can continue to provide data
while the single drive is replaced.
NOTE Many IT specialists prefer to describe RAID as “redundant array of
independent disks,” rather than the original inexpensive. You’ll definitely
see the terms out in the wild both ways. CompTIA goes with the original
wording. Just remember RAID and you’ll be fine on the exam.
There are several different RAID levels; which one you should use for a system
depends upon different factors, including the number of available disks and the balance of total available space for storage, as well as the levels of speed and performance
the system requires. RAID levels can be implemented in several ways. Striping typically
means writing pieces of data equally across two physical disks. Mirroring, in contrast,
completely duplicates data on each disk. Using more disks, you can include parity information, which enables data to be restored in the event of a single disk failure. You’ll find
combinations of all these. Figure 5-20 illustrates examples of different RAID levels using
these techniques.
There are trade-offs for each of these different methods, which include total amount
of storage space, speed, performance, and the number of disks required in the RAID
array. Table 5-1 summarizes some of the different RAID levels and their details.
05-ch05.indd 296
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-3: Cybersecurity Resilience
297
Disk Mirroring
Figure 5-20
Examples of RAID
configurations
Duplicate data on both drives
Disk Striping (with parity)
1
2
3
4
P
Data written in blocks across all drives, with parity bits
Storage Area Networks
A typical LAN has file servers that store data that is accessed via network stacks. It also has
local storage that your system accesses via block-level controllers that access the drives.
A storage area network (SAN) is a network storage that enables you to access the shared
folders by using block-level controls rather than the network stack. This gives SANs some
unique capabilities, mainly on-the-fly volume creation/manipulation. On most systems,
Minimum Number of
Physical Drives Required
RAID Level
Details
RAID 0
Disk striping; does not use mirroring or parity;
provides for performance only with no
redundancy.
2
RAID 1
Disk mirroring; all data is completely duplicated
on both disks; uses no striping or parity but
provides for full redundancy at the expense of
the loss of half the total available disk space for
duplication.
2
RAID 5
Disk striping with parity; parity information is
spread across all disks evenly; 1/n of the total
disk space available is used for parity.
3 to n
RAID 6
Disk striping with double distributed parity; this
allows for failure of up to two drives.
4
RAID 1+0 (or
sometimes seen
as RAID 10)
Disk mirroring with striping; combines both RAID
levels 0 and 1 for performance and redundancy;
a stripe of two mirrored arrays.
4
RAID 0+1
Disk striping with mirroring; combines both RAID
levels 0 and 1 for performance and redundancy;
a mirror of two striped arrays.
4
Table 5-1 Summary of RAID Levels
05-ch05.indd 297
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
298
if you want to add storage, you first get a storage device, configure it, mount it, and
format it. On a SAN, you just tell the SAN controller to add another disk to your local
system. You can create a new volume or you can mount an existing volume.
System Redundancy
RAID is certainly the go-to technology to provide fault tolerance for mass storage, but
what about systems? What happens if the Web site sits only on one Web server and that
server fails? Server redundant technologies such as multipath, NIC teaming, geographic
dispersal, and virtualization provide both fault tolerance and high availability.
Multipath A multipath solution provides more than one way to access storage. A RAID
1 implementation with two controllers, one for each drive, is the traditional multipath
solution (called disk duplexing, as you might recall from CompTIA A+ studies). More
than one connection to a SAN is also a typical implementation of multipath.
NIC Teaming Network interface cards rarely fail, but when one does, the system with
the bad NIC is offline until the NIC is replaced. Network interface card (NIC) teaming
addresses this issue by using two or more NICs on a single system that act as though
they are a single NIC with one MAC address and one IP addresses. Not only does NIC
teaming increase throughput (sort of ), but if one NIC fails, the other continues to work
(Figure 5-21).
Figure 5-21 File server with NIC teaming
05-ch05.indd 298
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-3: Cybersecurity Resilience
299
NOTE NIC teaming doesn’t suddenly turn two Gigabit Ethernet NICs into
2-Gbps throughput for a system, although that’s a common misconception.
Moving one large file still tops out at 1 Gbps. Where you’ll see better
performance is when moving multiple files at the same time. The additional
NIC or NICs essentially offer additional 1-Gbps lanes for traffic.
Geographic Dispersal The gold standard for system redundancy is to make perfect
copies of the same system and spread them apart geographically, then use the Internet
to keep the copies identical. Geographic dispersal protects from natural disasters
and widespread Internet disruption. You can set up your own dispersed servers, but
virtualization services make it easy.
Virtualization/Cloud Services For decades we used real servers in real locations
(on-premises), but those days are over. Nothing beats virtualization, especially cloudbased services, for giving you all the benefits of redundancy, especially high availability,
without outrageous cost and time. First, virtualization solutions are incredibly scalable.
Let’s say you develop a new Web app and launch it on a single Amazon S3 server, and
suddenly your product is a huge hit (and the single server is swamped). Virtualization
services like Amazon S3 make it easy to spin up more copies of your server (although
you can do this locally—on prem, as they say—as well). Add as many copies as you want
and need!
EXAM TIP Expect a question on the CompTIA Security+ exam that explores
on-premises vs. cloud in terms of redundancy, high availability, and
scalability.
Virtualization also makes geographic dispersal easy to achieve. Is your new Web site
huge in Japan? Just tell Amazon to spin up some new servers over in Japan so your customers in Tokyo get the same speed and response as your US users (Figure 5-22).
The other amazing high-availability power of virtualization comes from elasticity.
Going back to the Web app idea, some Web apps have cycles of high and low demand
(tickets sales, sports broadcasts, etc.). These cases require scalability both in terms of
Figure 5-22 Virtualization makes geographic dispersal easy.
05-ch05.indd 299
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
300
expanding and contracting on an as-needed basis, better known as elasticity. All virtualization providers have simple features to add or remove server instances automatically
based on predetermined load values.
NOTE Industry uses the term template to describe a server purchase. For
example, you might order a certain tier of stuff. “I want a medium cluster
with a blue level of security and redundancy.” That’s the template. Once you
get it, you take a snapshot of it and can rebuild it at any time. So sweet!
Diversity
Security people have a tendency to stick with single technologies, crypto, and controls
from preferred vendors. Why not? We know they work, we know how to use them, and
we know how to fix them. The danger with such a lack of diversity is the possibility that
all systems have the same vulnerability and can be taken out en masse.
When organizations rely on multiple redundant technologies, vendors, cryptographic
systems, and security controls, that diversity provides cybersecurity resilience. If a single
technology fails, a vendor disappears, the crypto system is cracked, or security controls
change and conflict, an organization that employs multiple systems through diversity can
quickly pivot and implement fixes.
Diversity takes more work, sure. Security and network people need to master multiple
systems, vendor relations multiply with more than one vendor, and so on. But diversity
enhances cybersecurity resilience.
Module 5-4: Securing Hardware
This module covers the following CompTIA Security+ objectives:
• 1.2 Given a scenario, analyze potential indicators to determine the type
of attack
• 2.5 Given a scenario, implement cybersecurity resilience
• 2.7 Explain the importance of physical security controls
• 3.2 Given a scenario, implement host or application security solutions
• 3.3 Given a scenario, implement secure network designs
• 3.8 Given a scenario, implement authentication and authorization solutions
Many years ago, an overly cocky security tech friend presented a challenge to me. He
said that he had secured a server system so perfectly that no unauthorized person could
access the data, and he challenged me to try. Accepting the challenge, I didn’t waste a
moment trying to attack the system remotely. Instead, I simply put on some work clothes
to look like a maintenance man, went to the location, and used my social engineering
skills to gain entry. Once inside, I found the server and yanked out every hard drive.
With plenty of time and completely nonsecure hardware, it was just a matter of cracking
a Windows login and … success!
05-ch05.indd 300
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-4: Securing Hardware
301
There’s a strong lesson here for any security person. Physical possession of mass
storage—or complete systems that hold the mass storage devices—is every attacker’s
dream. Granted, getting to the data might be a challenge, but every pawn shop, every
classified advertising medium, and every law enforcement office in the USA is filled with
stolen systems. If an attacker can get to the physical system, no firewall, no network
login, no wireless access point is going to prevent him from eventually getting to the
precious data.
Secure hardware presents the last line of defense for these types of attacks. Virtually
every piece of hardware that runs an Intel- or ARM-based CPU comes prepackaged with
powerful tools to lock down a system to secure individual computers from physical attacks.
This module starts with a discussion of a few of the nasty types of physical attacks on
systems. The module then covers many of the technologies used to protect systems from
attacks, both intentional and unintentional. We’ll finish with more specific options for
securing boot integrity.
Physical Attacks
If a threat actor is allowed to get physical access to a system, even for the shortest of
moments, there are plenty of interesting tools the threat actor may physically connect to
the system to gather all kinds of information about the system, the users, and even the
network.
Malicious USB Cable/Drives
Any unused USB port on a system is a huge vulnerability. A bad actor can easily plug in a
Bluetooth adapter and instantly use his or her own Bluetooth keyboard. Figure 5-23 shows
one of my favorite tools, a HAK5 USB Rubber Ducky. I just plug it into any USB port
and it starts sending preconfigured commands, such as capturing keystrokes and delivering a payload to compromise the system.
The downside to a malicious flash drive is that someone is going to notice it eventually.
That’s why my good friends down at HAK5 make a similar tool that looks like a cable!
HAK5’s O.MG cables can plug between any two USB devices: smartphone to desktop,
smartphone to power charger, desktop to USB device (such as an external drive or keyboard). While still working as any USB cable should, the O.MG steals any information
it can based on how it is connected (Figure 5-24). The O.MG exemplifies a malicious
Universal Serial Bus (USB) cable as defined in the CompTIA Security+ objectives.
NOTE HAK5.org makes awesome tools for testing systems, part of the field
of pentesting. Check them out at https://shop.hak5.org.
I recommend disabling every unused USB port, usually leaving only one open in front
of the system, thus easily observed. See the following sections for more options.
05-ch05.indd 301
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
302
Figure 5-23 HAK5 USB Rubber Ducky
Figure 5-24
HAK5 O.MG cable
(Image: Berkah,
Getty Images)
05-ch05.indd 302
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-4: Securing Hardware
303
EXAM TIP Look for an exam question on controlling removable media. The
correct answer to the question likely will be related to disabling USB ports or,
more specifically, not allowing access to USB ports to malicious actors.
Attacking Cards
Attackers love to copy and clone our plastic cards—credit cards, loyalty cards, office
issued IDs … anything on a card is fair game to the right bad actor. The main weakness
to any form of plastic card is the magnetic stripe on the back. The information on those
stripes is easily read by a card scanner and can then be placed on another card. We call
this card cloning.
So how do the bad guys read our cards? By using card skimmers. These devices sit
surreptitiously on top of the card readers at ATMs, vending machines, gasoline pumps—
wherever users insert cards—and read the stripe, a process called skimming. Card skimmers also usually come with cameras to capture users typing in a PIN code, a ZIP code,
or a CVV code as well. Figure 5-25 shows an ATM skimmer.
Some security tools, in particular the EMV card format (the cards with the little chip),
make skimming and cloning a lot harder than it used to be, but the many countries that
have yet to fully adopt the EMV standards (such as the United States) are still happy
hunting grounds for skimmers and cloners.
Securing the Systems
The first thing on any security person’s list when new hardware comes in is to do what
can be done to secure the systems. These steps are always carried out when new systems
arrive and are brought online. Well, if not carried out, then at least considered!
Theft Prevention
All new equipment is given an inventory tag and tracked by installation location. Portable
devices are issued to specific individuals who are solely authorized to use them and hold
Figure 5-25
ATM skimmer
(Image:
Chalongrat
Chuvaree /
EyeEm, Getty
Images)
05-ch05.indd 303
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
304
some degree of responsibility for keeping them secure. Static devices are often secured
when possible.
You can stop theft with some good physical security. First, almost all desktop and
server system cases come with anti-intrusion alarms. If anyone opens the case, the system
sets off an audible alarm.
Second, get a cable lock, particularly if you place a laptop in a tempting location for
thieves. All laptops come with a reinforced cable lock port. You should consider Kensington Computer Products Group (www.kensington.com) for a variety of excellent cable
locking systems.
Finally, don’t forget a screen filter. Screen filters are excellent tools to narrow the field of
vision. This prevents shoulder surfers from observing the content of your screen.
Securing Physical Ports
As previously mentioned, an unused USB port is a huge vulnerability. Account for every
port on a system. USB ports are everywhere! Many monitors/displays have handy USB
ports. Most printers and multifunction devices (MFDs) have USB ports. Even many
home routers have USB ports. Those are the most important ones to turn off because
you rarely observe them.
If at all possible, turn off all unneeded ports. If a port cannot be turned off, physically
block it. Certain devices such as ports on portable devices need those ports working, so
it’s common to install USB data blockers, devices that you insert into a USB port that
deny any data flow into the port, while still providing power for charging smartphones
and such. See Figure 5-26. With a USB data blocker installed, devices like the previously
discussed HAK5 tools won’t work.
Securing Power
Good power is critical. All the locks, guards, and firewalls mean nothing if your systems
don’t have reliable, clean electrical sources. Let’s consider what an organization can do to
secure the power it has and needs.
EXAM TIP All this electrical stuff is more in the realm of data centers and
distribution frames that power lots of servers and networking devices. Most
of this equipment would make no sense in a home or office.
Dual Supply Many higher-end devices support dual power supplies. These aren’t
complicated: if one power supply goes out, the other takes over. The only trick to dual
power supplies is to make sure you buy a product that supports them and also make sure
that product comes with two power supplies.
Figure 5-26
USB data blocker
05-ch05.indd 304
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-4: Securing Hardware
305
Figure 5-27 Power generator (Image: Westend61, Getty Images)
Uninterruptible Power Supply An uninterruptible power supply (UPS) uses a small
battery (often the same type used in motorcycles) as a backup power source if the power
ever sags or goes out completely. It’s very common to place a UPS at the bottom of an
equipment rack, powering all the devices on the rack with quality, dependable power.
A UPS is designed to power a system for a few minutes to enable an orderly shutdown.
Generator If you need to ensure that a system has uninterrupted power for an extended
period of time after a power failure, you need to consider an onsite generator as a source
of backup electricity. Generators are expensive, but if you need real backup power, this
is your only choice. Most generators run on either natural gas or diesel (Figure 5-27).
Managed Power Distribution Units Great. You have a rack full of equipment and
that equipment needs power. You have a UPS at the bottom of your rack, but now you
need to distribute the power coming from your UPS to the devices. Plus you need to
ensure that you have sufficient outlets for all the gear on the rack. That’s where a power
distribution unit (PDU) comes into play. At the simplest end a simple power strip is a
PDU, but if you’re going to distribute power, why not use a managed PDU that can
monitor power usage, send alarms, and so forth?
Securing Boot Integrity
IT professionals need to plan for many contingencies so that users have secure computers
with which to work. At the system level, for example, they must assure the security of individual system components by securing the supply chain. Second, they must implement
05-ch05.indd 305
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
306
technologies that will protect data in the event of theft or unauthorized physical access to
systems. This section explores these aspects of physical security:
•
•
•
•
Using TCG technologies
Using TPM for boot security
Using disk encryption
Incorporating HSMs
Using TCG Technologies
The IT industry knew back in the mid-1990s that ensuring cross-platform technology
security was going to take a lot of big companies working together, so AMD, HewlettPackard, IBM, Intel, and Microsoft got together and formed an organization now called
the Trusted Computing Group (TCG). Over the years, TCG has included roughly 100 of
the most important hardware and operating system manufacturers (Figure 5-28).
Figure 5-28 Trusted Computing Group
05-ch05.indd 306
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-4: Securing Hardware
307
TCG is solely responsible for all the most popular technologies that, when used collectively, make your system very secure. Let’s look at those technologies and see how
they work.
Using TPM for Boot Security
Most modern computers ship with a chip called a Trusted Platform Module (TPM)
(see Figure 5-29) that works with system firmware—UEFI in current PCs, for example—
to provide a baseline level of security and trust. The operating system relies on this hardware root of trust to check for low-level changes at bootup. These changes can happen
from malware, for example. Depending on the system, any tampering could lead to
automatic loading of a last known-good system or a system stop.
EXAM TIP Modern personal computers rely on Unified Extensible Firmware
Interface (UEFI) for firmware, as you’ll recall from your CompTIA A+ studies.
Look for a question on the CompTIA Security+ exam that points to boot
security/Unified Extensible Firmware Interface (UEFI) as the preferred method
for assuring boot integrity.
This boot-level security, called generically secure boot, can also work with more centrally controlled systems. During the boot process, the TPM and UEFI generate reports
about the process and can send those reports to a remote system, like a central authentication server. This process is called boot attestation. A typical scenario would describe
analyzing the reports or reporting process involving TPM as an example of authentication
management.
With Windows 10, Microsoft added another tool called Measured Boot that interacts
with UEFI and TPM over a network to verify the integrity of the boot files. This architecture blocks malware such as rootkits.
EXAM TIP Windows 8 and later feature Secure Boot to take advantage of
TPM and UEFI to provide boot attestation. The Linux folks tend to use the
open-source Opal Storage Specification.
Figure 5-29
TPM chip
05-ch05.indd 307
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
308
Using Disk Encryption
Security professionals use various forms of disk encryption to protect data at rest (DAR),
files and folders stored on mass storage and not in transit/motion or in processing (active
use). Disk encryption has been around in one shape or another for a long time and
certainly predates TPM chips, but the presence of TPM provides a powerful tool for
encrypting drives. Every operating system supports full disk encryption (FDE), which
typically means every part of a drive is encrypted except the boot sector. The FDE tool
that comes with Windows Pro versions is called BitLocker. To encrypt a drive with
BitLocker, you must have a motherboard with a TPM chip and you must have TPM
enabled in UEFI (Figure 5-30).
EXAM TIP Expect a question (or an answer) on the CompTIA Security+ exam
that equates disk encryption as a method or part of the process of hardening
an operating system. So think beyond securing data here to seeing solutions
for a whole system.
You can go even more secure with disk encryption by using a self-encrypting drive
(SED) that automatically encrypts and decrypts all data on the drive. From the outside,
a SED looks exactly like any other drive. It works on both traditional hard disk drives
(HDDs) and solid state drives (SSDs). A SED often comes with extra features, such as
instantaneous drive wiping, that high-security folks really enjoy.
EXAM TIP The Trusted Computing Group publishes the specifications for the
Opal Storage Specification that enables SED for Linux as well as Windows.
Figure 5-30 BitLocker in Windows
05-ch05.indd 308
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-4: Securing Hardware
309
Incorporating Hardware Security Modules
The many processes that take advantage of asymmetric key storage, authentication,
encryption/decryption, and other functions can often swamp general-purpose CPUs and
operating systems. For Web servers, automated teller machines, or other applications that
perform an unusually high amount of key handling, it’s usually a good idea to offload
this work to other hardware. A hardware security module (HSM) is any type of hardware
that’s designed to do this work.
An HSM might look like a network appliance, supporting one or more servers; it
might be a USB device; or like Figure 5-31, it might look like a PCIe card you install on
a system. When cryptography is slowing down a server’s response time, an HSM, with
its optimized processors designed to handle cryptographic functions hundreds of times
faster than an equivalent general-purpose CPU, will speed up key handling dramatically.
HSMs are expensive, but when time is of the essence, HSMs are the way to go.
EXAM TIP A typical scenario would describe deploying HSMs as an example
of authentication management.
NOTE You can use an HSM for secure boot (which is why it’s placed here in
the book). Often this manifests with a combination of flash media, system
on a chip (SoC) systems, and certificates. The process is well beyond this
discussion, but worth noting.
Figure 5-31 HSM PCIe card
05-ch05.indd 309
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
310
Module 5-5: Securing Endpoints
This module covers the following CompTIA Security+ objectives:
• 1.6 Explain the security concerns associated with various types
of vulnerabilities
• 2.1 Explain the importance of security concepts in an enterprise environment
• 3.2 Given a scenario, implement host or application security solutions
The previous module discussed several tools to secure hardware and made more than
one reference to securing operating systems and applications. This module carries the
story forward, focusing on applying well-known security controls to design the right
endpoint protection, for both operating systems and applications.
Hardening Operating Systems
Hardening an operating system means several things, but mostly it’s about configuring
the operating system and setting security options appropriately. Security professionals
should adhere to the golden rule for hardening:
If you don’t need it, remove it. If you can’t remove it, turn it off.
Although all operating systems provide methods and interfaces for secure configurations, we’re not going to focus on one specific operating system in this module. Instead,
we’ll focus on several configuration settings that should be considered regardless of
operating system.
NOTE The federal government and various organizations publish guidelines
on specific settings for hardening systems. Check out the Department of
Defense (DoD) Security Technical Implementation Guides (STIGs) as a great
example: https://public.cyber.mil/stigs/.
Regardless of the operating system in use, you should focus on privilege levels and
groups (administrative users and regular user accounts); access to storage media, shared
files, and folders; and rights to change system settings. Additional settings you should
evaluate include encryption and authentication settings, account settings such as lockout
and login configuration, and password settings that control strength and complexity,
password usage, and expiration time. You also should consider other system settings that
directly affect security, including user rights and the ability to affect certain aspects of the
system itself, such as network communication. These configuration settings contribute
to the overall hardening of the operating system.
05-ch05.indd 310
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-5: Securing Endpoints
311
Figure 5-32 Security options in Windows 10
Figure 5-32 shows a sample of some of the different options that you can configure
for security in Windows. Figure 5-33 shows other options that you can configure in a
Linux operating system.
EXAM TIP You might see a question about endpoint security solutions
that explicitly state the need to harden the Windows Registry, the central
database in Windows for configuration of just about everything. For the
most part, applying hardening techniques discussed in this module will lock
down access to the Registry to only those accounts that need to access it—
administrators, in short—and provide more than adequate security.
Trusted Operating System
A trusted operating system is a specialized version of an operating system, created and configured for high-security environments. It may require very specific hardware to run on.
Trusted operating systems are also evaluated by a strict set of criteria and are usually used
in environments such as the US Department of Defense and other government agencies,
where multilevel security requirements are in place.
05-ch05.indd 311
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
312
Figure 5-33 Security options in Linux
An example of the criteria that a trusted OS must meet is the Common Criteria, a
set of standards that operating systems and other technologies are evaluated against for
security. A lot of national governments worked together to create the Common Criteria, including the United States, the United Kingdom, Canada, Germany, France, the
Netherlands, and more.
Trusted operating systems have very restrictive configuration settings and are hardened beyond the level needed for normal business operations in typical security environments. Examples of trusted operating systems include Trusted Solaris, SE Linux, and
Trusted AIX. Some operating systems, such as Windows 10 and Windows Server, have
been certified as trusted operating systems.
Host-Based Firewalls and Intrusion Detection
In addition to setting up security configurations on a host, you need to protect the
host from a variety of network-based threats. Network-based firewalls and network-based
intrusion detection/prevention systems—covered in detail in Chapter 6—work to protect the entire network from malicious traffic.
Host-based versions of these devices are usually software-based, installed on the host
as an application. Their purpose is to filter traffic coming into the host from the network,
based upon rules that inspect the traffic and make decisions about whether to allow or
deny it into the host in accordance with those rules:
• A host-based firewall, like the excellent Windows Defender Firewall, blocks
unwanted access based on port numbers and other criteria.
05-ch05.indd 312
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-5: Securing Endpoints
313
• A host-based intrusion detection system (HIDS) serves to detect patterns of
malicious traffic, such as those that may target certain protocols or services that
appear to cause excessive amounts of traffic, or other types of intrusion.
• A host-based intrusion prevention system (HIPS) actively scans incoming packets
and blocks potentially harmful ones aggressively.
Host-based firewalls, HIDS, and HIPS may be included in the operating system, but
they can also be independent applications installed on the host. You should carefully
configure them to allow into the host only the traffic necessary for the host to perform
its function. You should also baseline them to the normal types of network traffic that
the host may experience. You should update host-based firewalls/HIDS/HIPS with new
attack signatures as needed and tune them occasionally as the network environment
changes to ensure that they fulfill their role in protecting the host from malicious traffic,
while permitting traffic the users need to do their jobs. Figure 5-34 shows a side-by-side
example of Windows and Linux firewalls.
NOTE In real-world implementations of host-based security measures,
weigh the overall security posture of the device in question. Yes, you can
lock down a resource completely, protecting it from attackers. But will this
impede the effective use of that device? Balance is important.
Figure 5-34 Comparison of Windows and Linux firewalls
05-ch05.indd 313
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
314
Disabling Open Ports and Services
Almost every host runs services that it doesn’t need. In addition to wasting processing
power and resources, a host that runs unnecessary services poses security risks. Services
can be vulnerable to attacks for a variety of reasons, including unchecked privilege use,
accessing sensitive resources, and so on. Adding unnecessary services to a host increases
the vulnerabilities present on that host, widening the attack surface someone might use
to launch an attack on the host.
Disable any unnecessary services or open ports as a basic hardening principle. If you
have a public-facing Web server, for example, don’t run any services that offer avenues
of attack into the host or, worse, into the internal network. A public-facing Web server
shouldn’t run e-mail, DHCP, DNS, and so on. Internal hosts have the same issues; workstations don’t need to run FTP servers or any other service that the user doesn’t explicitly
need to perform his or her job functions.
You should take the time to inventory all the different services that users, workstations,
servers, and other devices need to perform their functions, and turn off any that aren’t
required. Often, when a device is first installed, it runs many unnecessary services by
default; often these do not get disabled. Administrators should disable or uninstall those
services, or at least configure them to run more securely. This involves restricting any
unnecessary access to resources on the host or network, as well as following the principle
of least privilege and configuring those services to run with limited-privilege accounts.
Application Security
Often, security administrators identify software that is harmful to computers or the organization for various reasons. In some cases, software may contain malicious code; in other
cases, the organization may want to allow the use of certain applications, such as chat
programs, file sharing programs, and video games (Figure 5-35). You can restrict access
to these applications in several different ways, one of which is blacklisting. Blacklisting (or
Figure 5-35
But I need to play
CounterStrike!
During working hours?
OK
05-ch05.indd 314
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-5: Securing Endpoints
315
configuring a block list/deny list) involves an administrator adding an undesirable piece
of software or an application to a list on a content filtering device, in Active Directory
group policy, or on another type of mechanism, so that users are not allowed to download, install, or execute these applications. This keeps certain applications off the host.
Applications may be blacklisted by default until an administrator has decided on whether
to allow them to be used on the host or the network.
Whitelisting (or configuring an allow list) works similarly to blacklisting, except that a
whitelist contains applications that are allowed on the network or that are okay to install
and use on hosts. A whitelist would be useful in an environment where, by default,
applications are not allowed unless approved by an administrator. This ensures that only
certain applications can be installed and executed on the host. It also may help ensure
that applications are denied by default until they are checked for malicious code or other
undesirable characteristics before they are added to the whitelist.
EXAM TIP On the CompTIA Security+ 601 exam, you might see the more
neutral terms “block list/deny list” and “allow list” rather than the traditional
terms “blacklisting” and “whitelisting.” CompTIA replaced the traditional
terminology with the new terminology in version 2 of the 601 exam objectives.
Applications and software can be restricted using several different criteria. You could
restrict software based upon its publisher, whether you trust that publisher, or by file
executable. You could also further restrict software by controlling whether certain file
types can be executed or used on the host. You could use these criteria in a whitelist or
a blacklist.
Figure 5-36 shows an example of how Windows can do very basic whitelisting and
blacklisting using different criteria in the security settings on the local machine. When
using blacklisting in a larger infrastructure—using Active Directory, for example—you
have many more options to choose from.
Open Permissions
Most operating systems and devices default these days to requiring at least some minimal
form of identification and authentication at login. Windows 10, for example, makes it
very difficult to set up an account with no password requirement. Earlier versions of
Windows weren’t quite as strict, so people who wanted no-frills logins left their systems
open to easy attacks. About the only places you’ll find open permissions are kiosks at conventions and trade shows that enable users to access the Internet easily. As you should
also know, don’t use those systems to access any systems that require any personal account
information. Don’t log into Facebook from the trade show floor, in other words!
EXAM TIP For the CompTIA Security+ exam, keep in mind that open
permissions equates to no security at all for any accessible system.
05-ch05.indd 315
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
316
Figure 5-36 Application control in Windows
Disabling Default Accounts/Passwords
Out-of-the-box, operating systems often include default accounts with blank passwords
or passwords that don’t meet the organization’s complexity requirements. Some of these
default accounts may not even be necessary for the normal day-to-day operation of the
host. A good example of such an account is the Windows default guest account (disabled
by default in Windows 10). Linux operating systems are also vulnerable to this issue.
A default Linux installation includes many accounts, all of which you should examine to
determine whether they are necessary for the day-to-day operation of the host, and then
disable or delete any that aren’t necessary.
EXAM TIP Expect a question or two on the CompTIA Security+ exam that
explores default settings or default accounts as examples of vulnerabilities
caused by weak configurations. Some operating systems enable setup with
unsecure root accounts, such as a local administrator with no password,
which, as you should suspect, would be a bad thing!
Patch Management
Operating system vendors release patches and security updates to address issues such
as unforeseen vulnerabilities. For the most part today, operating systems auto-update,
meaning they seek out and download patches from their manufacturers automatically,
05-ch05.indd 316
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-5: Securing Endpoints
317
although in some cases this must be done manually. This process is called patch management. In a home environment, it’s probably okay for hosts to download and install
patches automatically on a regular basis. In an enterprise environment, however, a more
formalized patch management process should be in place that closely relates to configuration and change management.
EXAM TIP Legacy platforms, such as Windows 7 don’t get security updates.
No patches equates to increasing vulnerabilities, because bad guys like to
keep looking for them. Do yourself and your users a solid and move away
from legacy platforms as quickly as you can.
In a robust patch management process, administrators review patches for their applicability in the enterprise environment before installing them. Admins should research a
new patch or update to discover what functionality it fixes or what security vulnerabilities
it addresses. Admins should then look at the hosts in their environment to see if the patch
applies to any of them. If they determine that the patch is needed, they should install it
on test systems first to see if it causes issues with security or functionality. If it does cause
significant issues, the organization may have to determine whether it will accept the risk
of breaking functionality or security by installing the new patch, or will accept the risk
incurred by not installing the patch and correcting any problems or issues the patch is
intended to solve. If there are no significant issues, then the admins should follow the
organization’s formal procedure or process for installing the patch on the systems within
the environment. Typically, this is done automatically through centralized patch management tools (software), but in some cases, manual intervention may be required and the
admins may have to install the patch individually on each host in the enterprise.
In addition, admins should run a vulnerability scanner on the host both before and
after installing the patch to ensure that it addresses the problem as intended. They also
should document patches installed on production systems, so that if there is a problem
that they don’t notice immediately, they can check the patch installation process to determine if the patch was a factor in the issue.
EXAM TIP Improper or weak patch management can lead to vulnerabilities
that bad people can and will exploit. IT managers should update everything
properly, including firmware, operating systems (OS), and applications.
That includes third-party updates as well, especially any custom software
applications or utilities used by the organization.
Anti-malware
Anti-malware has come a long way from the early antivirus programs we used back in
the 1990s. These first tools were drive scanners, using signatures to look for known
viruses and doing their best to clean them out of systems. As time progressed, more features came online such as e-mail scanners, HTTP scanners, and RAM scanners. It wasn’t
uncommon for a single anti-malware tool to possess five or six different scanning types.
05-ch05.indd 317
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
318
EXAM TIP Look for exam questions specifically addressing the output from
antivirus software. Just substitute anti-malware software and you’ll see the
obvious answer.
Today’s anti-malware tools include point scanners—often called real-time scanners—
that provide real-time scanning of all incoming data, looking for malware signatures.
Point scanners don’t care about the type of data. They look for malware signatures in
e-mail and Web browsers. Whatever application you use, a good point scanner will find
and stop the malware before it infects your system (Figure 5-37).
Figure 5-37 Windows Defender detecting malware
05-ch05.indd 318
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-5: Securing Endpoints
319
Figure 5-38 DEP settings in Windows 10
Data Execution Prevention
In the early 2000s, a series of worms attacked the Internet, infecting memory areas
with buffer overflows and propagating themselves by attempting to contact random
IP addresses. These worms were relatively easy to detect, but their ability to execute code
in areas of memory normally used only for data storage proved to be a bit of a problem.
To stop these types of attacks, Intel and AMD implemented a CPU feature called the
No eXecute (NX) bit. All operating systems were updated to support the NX bit. In
Microsoft Windows, NX bit support is called Data Execution Prevention (DEP). The
generic term for this is executable space protection. I’ll use DEP in this explanation for ease
of use (and what you might see on the CompTIA Security+ exam).
EXAM TIP The CompTIA Security+ 601 objectives do not mention the NX bit
or DEP, except to include the latter in the standard acronym list. It’s doubtful
you’ll get tested on something that’s been an enabled standard for nearly
two decades.
DEP is on by default on every Windows operating system. Be aware that you can disable it in the system setup utility. Assuming DEP is enabled in firmware, there’s always
a place to check it in your operating system. Figure 5-38 shows DEP in Windows 10.
NOTE DEP should always be on, quietly protecting systems from buffer
overflows. The need to turn off DEP is rare.
File Integrity Monitors
If malware is to be persistent, it must find a place to hide in mass storage. One popular
strategy of malware is to create its own place to hide by replacing otherwise perfectly
good files, both executable and data files, with refactored versions (Figure 5-39).
05-ch05.indd 319
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
320
I’m the real one!
Figure 5-39
Which is the
real one?
WindowsCodecsRaw.dll
I’m the real one!
WindowsCodecsRaw.dll
To defeat these bad actors, use a file integrity monitor as part of an anti-malware routine. As the name implies, a file integrity monitor makes sure the right files are in the right
place. Most file integrity monitoring starts with a hash of the file itself, but may also add
several other options:
•
•
•
•
File date/time
Version number (if executable)
Digital signature
Metadata (modify date)
By recording these values at installation of the operating system or application, a file
integrity checker can verify without a doubt that the files being checked are the right ones.
NOTE See Chapter 8 for more details on fully featured file integrity
monitoring (FIM) systems that scale up to handle enterprise networks.
Data Loss Prevention
If your data is precious, you might want to add some data loss prevention (DLP) tools
to the individual servers storing that data. Most DLP solutions are designed not only to
keep your data’s integrity at 100 percent but also to do several other jobs. Some DLP
packages verify backups exist and are in good order. Some DLP packages monitor if data
is being moved or copied (they call this data in transit/motion). Some DLP packages
provide removable media control—called USB blocking—to prevent local copies being
created. DLP works in all sorts of appliances, from enterprise routers to cloud-based
services.
You’ll find DLP employed in mail gateways, protecting e-mail messages and delivery.
The mail gateway might employ DLP along with a spam filter to proactively delete
known unsolicited messages and with encryption features for secure e-mail. (See also
Chapter 11 for more discussion on secure protocols.)
05-ch05.indd 320
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-6: System Recycling
321
Figure 5-40
Shredded
computers
Module 5-6: System Recycling
This module covers the following CompTIA Security+ objective:
• 4.1 Given a scenario, use the appropriate tool to assess organizational security
There comes a time when hard-working individual systems must say farewell. Technology becomes dated, upgrading is impossible or not cost-effective, feature sets are
lacking, or a massive hardware failure (like a smoked motherboard) makes a repair simply
not worth the cost in money and time. The process of disposing of systems is called
system recycling.
There are two different ways to recycle. First, take a complete system to a scrapper that shreds the system—plastic, metal, everything—and recycles the core materials
(Figure 5-40).
Alternatively, system recycling means to give the computer to someone else who needs
it. Charitable organizations, schools, and private individuals badly need computers and
will gratefully accept even somewhat dated systems.
In either case, the great issue for IT professionals is to ensure that none of the data
on the soon-to-be-recycled mass storage devices survives. This process, called data sanitization, takes on several forms and steps, but a handy publication that provides helpful guidance is NIST Special Publication (SP) 800-88 Revision 1, Guidelines for Media
Sanitization (Figure 5-41).
NIST SP 800-88 Rev. 1 breaks data sanitization into three main methods: clear,
purge, and destroy. Each of these methods ensures the data on mass storage won’t leave
the infrastructure, but the methods vary in terms of security, convenience, and cost.
Clear
Clear means to tell the device through user commands inherent to the mass storage
device to sanitize the data. One example of a clear would be to send commands to a hard
drive to erase data. Clearing isn’t, however, just a simple erase. It must eliminate data
05-ch05.indd 321
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
322
Figure 5-41 NIST SP 800-88, Revision 1
from the mass storage device in such a way as to ensure the data cannot be read again,
even if forensic tools are used to try to recover the data.
The biggest question marks when it comes to clearing mass storage are HDDs and
SSDs. The built-in erase/delete, format, and partition commands from any operating system generally do not remove data. True removal requires disk wiping utilities
that overwrite the data on the entire drive. Figure 5-42 shows the interface of a highly
regarded clearing/wiping tool, Parted Magic (https://partedmagic.com).
There’s an old wives’ tale that claims (depending on who you hear this story from) that
you must overwrite data six or seven or nine times before the underlying data cannot be
recovered forensically. In response to this, SP 800-88 Rev. 1 says the following:
For storage devices containing magnetic media, a single overwrite pass with a fixed
pattern such as binary zeros typically hinders recovery of data even if state of the
art laboratory techniques are applied to attempt to retrieve the data.
For the overly paranoid, or for those whose employers require you to be so, however,
the US Department of Defense wiping standard, DoD 5220.22-M, performs many overwrites. It should be noted that even the US DoD no longer requires this standard for
data sanitization.
05-ch05.indd 322
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Module 5-6: System Recycling
323
Figure 5-42 Parted Magic
NOTE A general rule on clear: if the device is an appliance (a router, a
smartphone, a multipurpose printer), a factory reset will often sufficiently
clear the device. This isn’t a guarantee, and it’s always a good idea to refer to
the manufacturer directly.
Purge
Purge means to use anything other than an internal command to sanitize the data on the
media. Probably the best example of purging is degaussing magnetic media. Degaussing
means to expose the media to very powerful magnetic fields. Degaussing is 100 percent
effective on HDDs, but is useless with SDDs as they do not store data magnetically.
Degaussing machines are expensive, so most organizations that need to degauss take
advantage of third-party solutions. Figure 5-43 shows the Web page of a company that
specializes in data destruction, including degaussing.
Figure 5-43 Data Killers degaussing service Web page
05-ch05.indd 323
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
324
Unfortunately, degaussing also destroys the media. Once an HDD is degaussed, the
drive is destroyed. But not all purging is destructive. One potential alternative that might
be available is cryptographic erase (CE). If by chance you have something on mass storage
that is encrypted with an asymmetric key, you can render the data undecipherable by
eliminating the key pair, or at least the public key.
Destroy
Destroy quite literally means the physical destruction of the media. Secure data destruction methods depend on the media, but here are the four common techniques.
• Burning Flammable media isn’t as common as it used to be, but burning is still
available for disks and tapes.
• Pulping Exclusively for paper, pulping dissolves and cooks the paper, creating
new paper.
• Shredding Shredding means two different things. You can use shredders to
chop up paper (or cards or tapes or optical media) into tiny pieces. If you’re
talking about hard drives, the proper term is pulverizing (see next).
• Pulverizing Pulverizing mechanically rips apart the media or data storage.
There are some excellent YouTube videos on this topic—assuming you like
watching hard drives shredded into thousands of tiny pieces!
Questions
1. Rick logs into a public system as Guest and guesses correctly on a simple
password to gain administrative access to the machine. What sort of attack
surface does this represent?
A. Angle plane
B. Privilege escalation
C. Service vector
D. Zero-day
2. John receives a driver-signing error for a specific DLL file in his Windows system.
This a classic symptom of what sort of attack?
A. ARP poisoning
B. MAC spoofing
C. Refactoring
D. Shimming
3. Samantha recommended new systems for a group of developers at remote
locations. Each system is identical, with high-end processing components. For
storage, she needs a solution that provides storage redundancy and performance.
05-ch05.indd 324
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Questions
325
She goes with RAID for each system, selecting four drives. Each user can lose up
to two drives and not lose data. What RAID did she select?
A. RAID 0
B. RAID 1
C. RAID 5
D. RAID 6
4. The Trusted Computing Group introduced the idea of the __________, an
integrated circuit chip that enables secure computing.
A. TCP
B. TPM
C. EMP
D. EMI
5. John’s home system has automatic updates from Microsoft, yet at his office, his
organization has a more formal method of updating systems called __________.
A. Automatic updates
B. Patch management
C. TOS
D. Allow listing
6. What sort of malware requires the user to pay to remove the malware?
A. Trojan horse
B. Keylogger
C. Adware
D. Ransomware
7. Marisol notices a small dongle between her USB keyboard and her system.
Which of the following is most likely?
A. She is using an inline encryption device.
B. She has a TPM.
C. Someone has installed a keylogger.
D. Someone has installed a logic bomb.
8. Degaussing is associated with which form of data sanitization?
A. Clear
B. Purge
C. Destroy
D. Recycle
05-ch05.indd 325
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 5
Chapter 5: Securing Individual Systems
326
9. Jake gets a call from a user complaining about things seeming “squished” on the
screen. Upon further review, Jake determines that the Edge browser on the user’s
laptop has a lot of nonstandard toolbars taking up part of the screen, thus making
it harder to see Web pages and images at agreeable sizes. What sort of malware
has infected the user’s computer?
A. PUP
B. Ransomware
C. Trojan horse
D. Worm
10. Erin needs to implement a solution to provide redundancy of network
connections for a critical server. What should she implement?
A. Multipath
B. NIC teaming
C. RAID
D. Virtualization
Answers
1. B. Privilege escalation scenarios have the bad guy increasing the scope of what he
can do once authenticated to a system.
2. C. A refactoring attack tries to replace a device driver with a file that will add
some sort of malicious payload.
3. D. A RAID 6 array requires at least four drives, but can lose up to two drives and
still not lose data.
4. B. Trusted Platform Module (TPM) chips store a unique 2048-bit RSA key pair
for security purposes.
5. B. Patch management describes the process used to keep systems updated in
the enterprise.
6. D. Ransomware demands payment to restore files.
7. C. A random USB dongle can be a malicious device, such as a keylogger.
8. B. Although a degausser essentially renders a hard drive unusable, it falls into the
category of purge.
9. A. Jake’s user clearly has one or more potentially undesirable programs installed!
10. B. Erin should install and configure a second network interface connection in
NIC teaming to provide redundancy of network connection.
05-ch05.indd 326
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
CHAPTER
The Basic LAN
6
Mesh, smesh. Just point me to the bus.
—Anonymous Luddite
Most computing devices interact within a TCP/IP broadcast domain, a local area network
(LAN), a crazy mélange of devices, from PCs to printers to smartphones to switches to
thermostats to refrigerators. Securing each computing device requires attention and specific tools and technologies, as you learned in Chapter 5. Networks bring an extra layer
of complexity and attack surfaces and, as you undoubtedly suspect, a whole new set of
tools for security. This chapter explores securing a LAN in five modules:
•
•
•
•
•
Layer 2 LAN Attacks
Organizing LANs
Implementing Secure Network Designs
Virtual Private Networks
Network-Based Intrusion Detection/Prevention
Module 6-1: Layer 2 LAN Attacks
This module covers the following CompTIA Security+ objective:
• 1.4 Given a scenario, analyze potential indicators associated with
network attacks
LANs offer great attack surfaces. This module explores Layer 2 (Data Link in the OSI
seven-layer model) attacks, such as ARP poisoning, on-path attacks, MAC flooding, and
MAC cloning. Why worry about Layer 3, Layer 4, or even Layer 7 for that matter, when
you can attack way down the network stack? Let’s check them out.
NOTE That question was a joke and a segue. Security professionals definitely
need to worry about attack surfaces up and down the OSI layers. We’ll get to
other attacks shortly.
327
06-ch06.indd 327
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
328
ARP Poisoning
Most every network in existence is Ethernet, and every network interface card (NIC) on
an Ethernet network has a media access control (MAC) address. For one computer to
send an IP packet to another computer on an Ethernet network, the IP packet must sit
inside an Ethernet frame. An Ethernet frame consists of both a destination MAC address
and a source MAC address. The sending system needs both the destination host’s IP
address and the destination host’s MAC address. But what if the sending system knows
the destination IP address but doesn’t know the destination MAC address? In that case the
sending system performs an Address Resolution Protocol (ARP) broadcast to determine the
MAC address for that host.
Typically, when a system wants to send an IP packet, it broadcasts an ARP request that
looks something like Figure 6-1.
The system then caches the ARP discovery for a minute or two. In Windows you can
type the arp -a command at the command line to see the cached ARP addresses. In the
following example, dynamic addresses are the temporary addresses that must be renewed
with new ARP commands every few minutes. Static addresses are permanent and do not
require new ARP updates.
C:\Users\Michaelm>arp -a
Interface: 172.18.13.117 --- 0x10
Internet Address
Physical Address
172.18.13.1
d4-b2-7a-03-26-4d
172.18.13.102
a8-a1-59-06-08-82
172.18.13.107
16-07-f2-c0-44-89
172.18.13.255
ff-ff-ff-ff-ff-ff
224.0.0.22
01-00-5e-00-00-16
224.0.0.251
01-00-5e-00-00-fb
224.0.0.252
01-00-5e-00-00-fc
239.255.255.250
01-00-5e-7f-ff-fa
255.255.255.255
ff-ff-ff-ff-ff-ff
Type
dynamic
dynamic
dynamic
static
static
static
static
static
static
Hi 192.168.4.33!
I’m 192.168.4.2.
192.168.4.2
Who has IP address 192.168.4.2?
Tell 192.168.4.33.
192.168.4.231
192.168.4.59
Figure 6-1 Typical ARP request
06-ch06.indd 328
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-1: Layer 2 LAN Attacks
329
I’m a bridge to
192.168.4.5! My MAC is
DD-EE-FF-11-22-33.
But…
but…
but!
192.168.4.11
Who has
192.168.4.5? Tell
me (192.168.4.33).
192.168.4.5
192.168.4.35
Figure 6-2 ARP spoofing in action
Note that most of the 172.18.13.x addresses in this example are other systems on the
network that use dynamic IP addressing. The broadcast addresses 172.18.13.255 and
255.255.255.255 are static. Most of the other addresses are for multicast addresses.
So ARP’s job is to resolve MAC addresses based on IP addresses using systems that
broadcast requests and then update their ARP caches with the responses from other computers. But ARP has no security. Any computer can respond to an ARP request, even if
that computer is an evil actor (Figure 6-2).
Any time an attacking system pretends to be another system in any way—by faking
an IP address, a URL, or an e-mail address—it is spoofing. A system that responds with
another system’s MAC address via ARP requests is ARP spoofing. On the other hand,
if some system gives false ARP information to another system, this poisons the victim
system’s ARP cache. The attacking system performs ARP poisoning. Figure 6-3 explores
the differences.
Figure 6-3
ARP spoofing vs.
ARP poisoning
06-ch06.indd 329
I fake other systems' MAC
addresses so I’m spoofing.
My spoofing puts false
information on other systems'
ARP caches so I’m ARP cache
poisoning.
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
330
Figure 6-4
Switch MAC table
MAC Table
Port 1 - 00-98-BA-2D-C2-AA
Port 2 - 02-1A-34-D2-8C-25
Port 3- Empty
Port 4- Empty
Port 5- 7D-88-01-BB-AC-43
Port 6- Empty
Port 7- 14-dd-a9-9b-03-90
Port 8- Empty
12345 67 8
Router
ARP poisoning doesn’t stop with a single attacking system going after another system’s
ARP cache! Remember that every LAN has a Layer 2 switch that interconnects all the
LAN devices. This switch keeps a listing of the MAC addresses to all connected systems
(Figure 6-4).
An ARP poisoning program can confuse the switch by sending ARP commands
directly to the switch, redirecting traffic to the attacking system. In Figure 6-5, the
attacker impersonates a legitimate system.
ARP poisoning software can send false ARP commands. What havoc can this provoke? Two common types of attack use ARP spoofing/ARP poisoning: man-in-themiddle attacks and MAC flooding.
Man-in-the-Middle Attacks
Let’s assume that you, the evil actor, have used your “Mission: Impossible” skills and
infiltrated an office. You’re sitting next to an RJ-45 connection on the target LAN. Your
goal, should you choose to go further, is to get user J. Bond’s user names and passwords
for, well, just about everything he does online. To intercept his Web activity, for example,
you set up an ARP poisoner to tell the switch that the ARP poisoner is now the router,
thereby fooling the switch to send all the data from J. Bond’s system directly to your
system. You don’t want J. Bond to get wise to you, so after all of his data comes into your
system, you keep a copy but at the same time make sure the traffic goes on to the router
and does whatever he wanted it to do. Your ARP poisoning system is now in the middle
between J. Bond’s computer and the Web server he is trying to connect to (Figure 6-6).
You have now created a classic man-in-the-middle (MITM) attack! Excellent work, evil
actor! Muwhawhawhaw!
06-ch06.indd 330
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-1: Layer 2 LAN Attacks
331
Hey switch ! I am MAC address
00-98-BA-2D-C2-AA.
MAC Table
Port 1 - 00-98-BA-2D-C2-AA
Port 2 - 02-1A-34-D2-8C-25
Port 3- Empty
Port 4- Empty
Port 5- 7D-88-01-BB-AC-43
Port 6- Empty
Port 7- 14-dd-a9-9b-03-90
Port 8- Empty
12345 67 8
Router
What the
heck?
Figure 6-5 ARP poisoning the switch
NOTE Apologies to the reader here. The primary author of this chapter—
not naming names, but his initials are MM—can’t keep his movie franchises
straight, not even for one million dollars. – SJ
I see EVERYTHING!!!
J. Bond’s System
Evil System
Web Server
Figure 6-6 MITM J. Bond’s system
06-ch06.indd 331
25/03/21 2:15 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
332
You should note two items here. First, this isn’t the only way to do an MITM attack.
This scenario uses ARP poisoning to create an MITM attack. There are hundreds, if not
thousands, of ways to execute MITM attacks. Any form of attack that places something
between two systems for the job of acquiring data is an MITM attack. You could do an
MITM attack by setting up a fake e-mail server and stealing someone’s e-mail. You could
do an MITM attack by setting up a rogue WAP and tricking users into connecting to it.
EXAM TIP The CompTIA Security+ 601 exam objectives refer to an MITM
attack as a form of on-path attack. This is a more general term that can
apply to any sophisticated attack where you insert something on the path
between a legitimate system and a trusted resource. You might see the term
“on-path attack” on the exam, but will definitely see “man-in-the-middle” in
the field for the foreseeable future.
The other type of on-path attack discussed in this book is a man-in-thebrowser (MITB) attack. As the name implies, it’s essentially an MITM attack
directed at Web browsers. We’ll get to it in Chapter 11.
MAC Flooding
Switches filter traffic based on MAC addresses, very quickly establishing and maintaining
a table—called a content addressable memory (CAM) table—that contains all the MAC
addresses of the hosts connected to it. Traffic goes into the switch and then only to the
specific recipient listed in the frame (Figure 6-7). If a switch does not know the intended
MAC Table
Port 1 - Empty
Port 2 - 02-1A-34-D2-8C-25
Port 3- Empty
Port 4- Empty
Port 5- 7D-88-01-BB-AC-43
Port 6- Empty
Port 7- 14-dd-a9-9b-03-90
Port 8- Empty
12345 67 8
Computer A
I can’t see what
Computers A and B
are saying to each
other!
Computer C
Computer B
Figure 6-7 A properly running switch
06-ch06.indd 332
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-1: Layer 2 LAN Attacks
333
MAC Table
Port 1 - Empty
Port 2 - 02-1A-34-D2-8C-25
Port 3- Empty
Port 4- Empty
Port 5- My
7D-88-01BB-AC-43
MAC table is
Port 6- Empty
invalid so...
Port 7- 14-dd-a9-9b-03-90
HUB MODE!!!
Port 3- Empty
I see all the traffic!
12345 67 8
Computer C
Computer A
Computer B
Figure 6-8 MAC flooding
recipient of a frame, the switch will broadcast that frame to all the connected devices,
behaving much like an ancient hub. This is typical during the initial connection of a new
device to the network, for example, until the switch’s CAM table updates.
Attackers can take advantage of this aspect of switches through media access control
(MAC) flooding attacks, sending many frames with “new” source MAC addresses, seeking
to overwhelm the limited capacity of the CAM table (Figure 6-8). Using an ARP poisoner, for example, an attacker can broadcast hundreds of invalid ARP commands every
few seconds. Once filled, the switch will flip to broadcast mode for LAN traffic.
Not only does MAC flooding force switches to broadcast all traffic, it’s also a great
way to open up an ARP poisoning attack. Once the switch goes into “hub mode” (my
term, not an industry term), it will quickly send out a flurry of ARPs to try to rebuild the
CAM table. This is a terrific opportunity for an ARP poisoner to send ARPs that tell the
switch it is another system.
MAC Cloning
An attacker can use MAC cloning—changing the MAC address of a device to match the
MAC address of another device—to gain illicit access to the network. MAC cloning is a
legitimate and fairly common action. Figure 6-9 shows how to change the MAC address
of a NIC in Windows using the NIC’s properties.
Unlike ARP poisoning, MAC cloning is a permanent setting. The trick to making
MAC cloning work as an attack is to remove or disable the device that originally had
the MAC address. You can’t have two devices with the same MAC address on a LAN for
more than a few moments, as that will confuse the switch as well as other systems and will
force a huge number of new ARPs as the network tries to figure out what’s happening.
06-ch06.indd 333
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
334
Figure 6-9
Changing the
MAC address in
Windows
Many switches use a scheme called port security to protect against MAC cloning
attacks. One of the more important features of port security is maintaining an inventory
of every MAC address of allowed systems on the switch. Better switches do not allow a
system with a MAC address that isn’t listed in the MAC address inventory to access the
network. They literally turn off the port where the offending system connects. Attackers
will attempt to avoid this by using a system with a known MAC address.
NOTE MAC cloning has legitimate uses as well. It’s common to change the
MAC address of a small office/home office (SOHO) router issued by an ISP
to the MAC address of the previous router to speed up installation of the
new router.
Wireless access points commonly have a MAC setting that functions similarly to port
security. The WAP stops systems that aren’t “on the list” from authorizing to the SSID.
Module 6-2: Organizing LANs
This module covers the following CompTIA Security+ objectives:
•
•
•
•
06-ch06.indd 334
2.1 Explain the importance of security concepts in an enterprise environment
2.5 Given a scenario, implement cybersecurity resilience
2.7 Explain the importance of physical security controls
3.3 Given a scenario, implement secure network designs
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-2: Organizing LANs
335
Figure 6-10
This is more
than a CompTIA
Network+ review.
I can haz
netwerking?
Goodness, no! We’re going
way beyond CompTIA
Network+ here!
This module reviews local area network (LAN) technologies, including devices, architectures, and secure networking principles. Although the book has already briefly discussed secure network protocols, this section takes an in-depth look at network security,
discussing network devices and how to configure them securely, the design elements that
go into a secure network, and different security methods and technologies that help make
up secure network administration.
Network security is an extremely important part of security in general, so reach back
into your mind for all the knowledge and experience you’ve gained from CompTIA
Network+ studies, as well as real-life experience. Also understand that this module is
not a CompTIA Network+ exam review, although it discusses topics that may serve as
a reminder of those studies. This module focuses on the security aspects of networking
(Figure 6-10).
We’ll specifically touch on three aspects of secure network design here: configuration
management, network segmentation, and load balancing.
Configuration Management
Configuration management (CM) in general refers to how an organization keeps track of
everything that affects its network, including the hardware in place, operating system
versions and ordering, policies implemented, physical placement and layout of systems,
and much more. CM directly relates to disaster recovery, which we’ll cover in more detail
in Chapter 13. If you know precisely the systems and software in place, you can more
effectively deal with breaches, failures, software glitches, and so on.
This module touches on a few specific examples to include in the detailed documentation required for good CM, such as diagrams, standard naming conventions, IP schema,
and baseline configuration. Just keep in mind that the topic goes way beyond CompTIA
Security+ and into enterprise networking design, administration, and security.
NOTE Other, more specialized certifications test much more deeply on CM
topics, such as the ITIL certification from AXELOS.
06-ch06.indd 335
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
336
Diagrams
Thorough and detailed diagrams map out the physical hardware of the network, including connectivity among devices, make and model of devices, operating system and version, firmware version, and so on. Network diagrams should function in layers, similar
to the classic anatomy books with simple bones, arteries, organs, and more all on colored
transparencies (Figure 6-11). Figures 6-12 and 6-13 show simple and more complex
diagrams of the same network.
NOTE When it comes to network diagrams, learn Microsoft Visio, the
industry-standard tool. Get it as soon as you can and start practicing.
Standard Naming Conventions
All documentation should use standard naming conventions—standard for your organization, at least—so network administrators and security professionals can glance at something labeled FS3-E4 and differentiate it from FS3-W7 easily. (C’mon, file server 3 on
floor 4 in the East building in the campus area network versus file server 3 on floor 7 in
the West building, right?) This standardization applies to every network asset, including
system identification and network IDs. Standard naming conventions enable new team
members to get up to speed quickly and avoid rookie mistakes that would cause problems for the organization.
Figure 6-11
Classic anatomy
overlay (Image:
ilbusca, Getty
Images)
06-ch06.indd 336
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-2: Organizing LANs
337
BWC CAN
802.11ac
Server
IDF
10 Gigabit
w/Access Switch
Gigabit
Cat 6a
Main
Office
IDF
Gigabit
Cat 6a
SCADA
Gigabit
Cat 6a
802.11ac
Gigabit
Cat 6a
Gigabit
Cat 6a
10 Gigabit
w/Access
Switch
10 Gigabit
w/Access Switch
IDF
Warehouse
and Shipping
Gigabit
Cat 6a
Gigabit
Cat 6a
Gigabit
Cat 6a
Gigabit
Cat 6a
Gigabit
Cat 6a
Factory
Gigabit
Cat 6a
Gigabit
Cat 6a
Gigabit
Cat 6a
Gigabit
Cat 6a
802.11ac
Figure 6-12 Diagram of the Bayland Widgets’ campus area network
Main Office server room
Utility Room 402
Manager: Mike Meyers
(812)555-8160 (text)
Top: File Server
Dell PowerEdge R450
00:C0:4F:22:08:01
11.12.13.10
Cent: Main Switch
Dell EMC Powerswitch N2924
11.12.13.2
Lower: UPS
Dell DLT 1800
00:C0:4F:49:90:AD
11.12.13.11
Figure 6-13 Closeup with details of the Bayland Widgets’ campus area network
06-ch06.indd 337
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
338
IP Schema
Part of good configuration management means implementing IPv4 addresses in a logical
and consistent manner—the Internet Protocol (IP) schema. In one common IP schema,
for example, the main router is set to x.x.x.1. Switches get range x.x.x.2–10, printers
get range x.x.x.11–16, and workstations get all the rest. Most networks organize the first
or last useable address in their subnet for the default gateway. Consistency and explicit
documentation are the keys here.
Baseline Configuration
Once you have the network set up, run tests to determine the baseline performance of
the network based on the baseline configuration you’ve implemented. In other words,
CM means knowing how each part of the network should perform so it becomes rapidly
apparent when something doesn’t perform as expected. We’ll see more about baselining
in Chapter 13, but keep it in your head that it’s an integral part of effective configuration
management.
Network Segmentation
A good, secure network architecture organizes components into physical or logical
groupings, enabling better security for the enterprise. Network segmentation generally
means partitioning a single enterprise network into two or more subnetworks using
either switches (at Layer 2) or routers (at Layer 3). Layer 2 switches use VLAN capabilities to turn single broadcast domains into multiple broadcast domains. Layer 3 routers
split the enterprise into separate network IDs. Network-based firewalls work at this level;
we can also implement screened subnets. This splitting either at Layer 2 or Layer 3 for
different functions of the network gives us tremendous control over the data moving
among systems and enables us to address security in many different ways.
Network segmentation also refers to separating the enterprise network both within (to
reduce overhead and general traffic) and without (connecting to an ISP or some other
organization’s network). We’ll glance briefly at the terminology and documentation that
refers to these other connectivity points.
EXAM TIP The CompTIA Security+ objectives list Zero Trust under network
segmentation. Zero Trust operates on the principle of “never trust, always
verify,” which means exclude any traffic from anyone until you can prove that
traffic is legitimate. Zero Trust uses network segmentation as some of the
methods for excluding traffic.
Typical implementations of Zero Trust also operate at Layer 7, so they
don’t really fit the classic network segmentation models of Layers 2 and 3.
You’ll see the term again in Module 6-3 under “Internet Connection Firewalls.”
Keep in mind the concept as it relates to network segmentation, though,
so you can properly parse questions on the CompTIA Security+ exam.
06-ch06.indd 338
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-2: Organizing LANs
339
VLANs
You know that the defining characteristics of a LAN are that hosts are on the same subnet; that they communicate with each other without the need to be routed; and that they
use hardware (MAC) addresses to identify each other during communications. Better
switches can segment a network logically into two or more distinct and separate networks
by implementing virtual local area network (VLAN) technology. A VLAN doesn’t depend
upon the physical layout of the network; it doesn’t matter if the hosts are physically sitting next to each other or are located several buildings apart. A VLAN creates a logical
network in which to assign hosts.
Once a host is assigned to a VLAN, it follows LAN conventions, as if it were physically a part of a LAN. You create VLANs on switches by configuring the switches to
establish and recognize VLANs with certain characteristics. These characteristics include
an IP subnet and VLAN membership. VLAN membership can be based on the switch
port the host is plugged into (called a port-based VLAN); it can also be based on the MAC
address of the client (a MAC-based VLAN). You could also have a protocol-based VLAN,
which would ensure that any client with an IP address on a subnet would be assigned to
a VLAN by default. You can assign different hosts to different VLANs, even if they plug
into the same switch and sit right next to each other.
EXAM TIP Implementation of VLANs falls squarely in the CompTIA Network+
certification bailiwick. CompTIA Security+ cares that you know VLANs
enhance network security through network segmentation.
Since VLANs operate with the same characteristics as normal LANs, broadcasts are
not passed between them. In fact, it’s necessary to route traffic between VLANs. You
could use a traditional router for this, or, more often, you could configure the switch to
route between VLANs (called inter-VLAN routing). If VLANs need to access networks
that aren’t controlled by the switch, the traffic must pass through a traditional router.
Figure 6-14 illustrates an example VLAN setup.
VLANs contribute to security because they enable administrators to separate hosts
from each other, usually based upon sensitivity. In other words, you can assign sensitive
hosts to a VLAN and control which other hosts access them through the VLAN. Since
VLANs are logical (and software-based), you can control other aspects of them from a
security perspective. You can control what types of traffic can enter or exit the VLAN,
and you can restrict access to hosts on that VLAN via a single policy. You can also provide
for increased network performance by using VLANs to eliminate broadcast domains, the
same as you would with a traditional router.
Network-Based Firewalls
A network-based firewall, like the host-based firewall discussed in Chapter 5, filters
IP traffic based on rulesets known generically as access control lists (ACLs). A networkbased firewall manifests as a specialized hardware device (commonly but not exclusively
a router), a type of network appliance.
06-ch06.indd 339
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
340
Layer 3 Switch
Figure 6-14
VLANs on a
switch
VLAN 3
172.16.30.0
VLAN 1
192.168.10.0
VLAN 2
172.29.20.0
NOTE Given that routers interconnect LANs, adding firewall features to a
router is a natural combination.
Network-based firewalls typically protect entire network segments. Traditionally, firewalls were thought of in terms of separating only public networks from private networks;
but modern security theory also emphasizes the use of firewalls in an internal network
to separate sensitive network segments from other internal networks. Firewalls can filter
traffic based upon a wide variety of criteria, including port, protocol, network service,
time of day, source or destination host, and even users or entire domains. More advanced
firewalls can also do deep-level traffic inspection, so even traffic that meets rules allowing
it to pass through the firewall could be denied due to the content of its traffic.
NOTE
Module 6-3 goes into specific types of network-based firewalls.
Screened Subnets
The best way to connect a LAN to the Internet is to use a firewall-capable router to act
as the interconnect between the LAN and an ISP. While simple LANs handle this nicely,
a network that includes public servers must have a more complex topology that protects
Internet systems but still enables less-protected access for public servers. To do this, create
a screened subnet—also known as a demilitarized zone (DMZ)—a LAN, separate from the
06-ch06.indd 340
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-2: Organizing LANs
341
LAN
DMZ
To the
Internet
Router
Router
Web Server
Whatever Server
Game Server
Figure 6-15 A screened subnet (DMZ)
internal LANs that contain workstations and private servers. The DMZ connects to the
Internet via a lightly firewalled router, and an internal network connects to the DMZ via
a much more aggressively firewalled router (Figure 6-15).
EXAM TIP The third iteration of the CompTIA Security+ 601 objectives
changed the traditional term “demilitarized zone (DMZ)” to “screened
subnet.” You might see the latter term on the exam, so don’t miss the
question. You’ll only see DMZ in the real world for the next few years—
assuming the politically correct term catches on at all, so be prepared for
that as well.
A lot of modern networks that employ a screened subnet use a specialized network
appliance called a jump server that enables secure management of devices within the
DMZ. The typical jump server enables logging and auditing and provides a single management point for user accounts.
Interconnecting Within and Without
Even relatively simple enterprise networks—like the Bayland Widgets’ CAN illustrated
earlier in this module—have multiple connections among servers within the network
and, of course, connections to the outside world as well. Internal server-to-server communication can add a lot of overhead to a network if not managed properly. Proper
network segmentation can reduce overall traffic by putting a server-to-server connection
in a unique VLAN, for example, or separating the servers with routers.
06-ch06.indd 341
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
342
The network documentation folks have long called the internal server-to-server connection east-west traffic, not because of any geographic necessities, but because the network diagrams tend to show them as horizontal connections. A network using VLANs
or routers that’s essentially a single enterprise network is called an intranet. A private
TCP/IP network that provides external entities (customers, vendors, etc.) access to their
intranet is called an extranet. The biggest TCP/IP network of all, the one we all know and
love, is called the Internet.
And just for completeness here, connections between an enterprise network and an
external network, such as an ISP, are generally drawn in diagrams as a vertical connection. Can you guess what term describes this connection? That’s right, north-south traffic.
Load Balancing
A load balancer is a network device used to provide efficient and seamless workload sharing between network devices (such as routers or firewalls) or hosts, typically Web or file
servers or storage devices. Placed strategically between devices, a load balancer enhances
security and efficiency. You can also purchase network devices with native load balancing
capability allowing the same functionality with a paired device, but the implementation
is more complicated. As you might suspect from the name, load balancers provide load
balancing to the network. Implement load balancers in a scenario where you need to
enhance cybersecurity resilience.
High-Availability Clusters
A load balancer contributes to security by providing for high availability. If a server goes
down, the load balancer can transparently and immediately provide for availability by
transferring network and resource requests to an identically configured backup server.
This is considered persistence in networking, meaning the network resources are always
available. An active/passive high-availability cluster like this has one server active and the
second passive, acting as a failover or backup.
NOTE A cluster in this use is a group of servers that work together to
provide a service, such as a Web site, Web service, or database.
In an active/active high-availability cluster, the load-balanced services perform the
same functions at the same time, but with different transactions. As an example, two
load-balanced Web servers would respond to different users’ browser requests. The load
balancer manages the traffic and requests going to each of the members of the service
or device cluster for which it is responsible. This helps provide for efficiency, eliminates
delays or latency, and provides for system and data availability if a member of the cluster
is unable to fulfill requests or requires maintenance.
Scheduling
Load balancers may use several different criteria to determine scheduling—that is, which
device gets a particular request. A load balancer may base its decisions on network traffic
06-ch06.indd 342
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
343
conditions, for example; it may use a turn-based system (otherwise known as a roundrobin type of system); or it can send traffic based on available resources on the target
systems in more advanced products. It is important to note that Web sites and applications need to maintain session affinity across load-balanced resources. If there are two
Web servers behind a load balancer and a user’s initial session is sent to Web server A, for
example, the affinity between that user and the application thread active on Web server
A must be maintained. Otherwise, the user’s experience on the Web site would not be
consistent—Web server A would have some of the information and Web server B would
have other parts, resulting in a useless session, broken shopping cart, and so on.
A load balancer receives traffic for other devices or services via a virtual IP address. In a
simple application, one Web server would receive and process all user sessions. In the preceding Web site example, both Web servers have individual IP addresses and both need
to receive and process network traffic. To enable this, all the traffic is sent to a virtual
IP address that is hosted on the load balancer, which forwards the relevant traffic to each
resource behind it. This address is labeled “virtual” because it only exists for the purpose
of routing traffic, and it is assigned to a device that already has a hardware-relevant
IP address. A load balancer in an enterprise environment could host hundreds of virtual
IP addresses for different applications.
EXAM TIP The use of virtualization—with virtual servers and systems—
requires the same high degree of diligence with security as is required for
physical machines and networks. The concepts and implementations of
segmentation and isolation apply to virtualized networks just as much as to
physical networks.
Module 6-3: Implementing Secure Network Designs
This module covers the following CompTIA Security+ objectives:
• 2.1 Explain the importance of security concepts in an enterprise environment
• 3.2 Given a scenario, implement host or application security solutions
• 3.3 Given a scenario, implement secure network designs
NOTE Wireless networks also need security and are an important part of just
about every network out there. Wireless security gets its own discussion in
Chapter 7.
Securing the LAN
To have a LAN you must have at least one switch. A perfectly functional LAN consists
of nothing more than a single host and a single dumb switch, although in all but the
smallest LANs you’ll usually see two or more managed switches, creating the broadcast
domain that defines a LAN. Most installations use rack-mounted switches with professionally installed structured cabling (Figure 6-16).
06-ch06.indd 343
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
344
Figure 6-16
Switches in a rack
Structured
Cabling
Switches
Servers
Traditionally, a switch filters and forwards Ethernet frames, memorizing the MAC
addresses of all the connected hosts and then creating point-to-point connections for all unicast traffic while at the same time remaining completely capable of supporting broadcasts.
EXAM TIP The CompTIA Security+ objectives remind readers of an important
secure network design and implementation tip, securely accessing servers
for configuration. Typically, we access servers through in-band management
software, such as VNC or SSH. The server operating system and software
enable that access.
With out-of-band management, in contrast, the network administrator
can access the server even if the server isn’t running, directly interfacing
with the firmware of the server. You might recall a common out-of-band
management feature from your CompTIA Network+ studies, lights-out
management (LOM). Expect a question on secure network design that
features out-of-band management.
Port Security
Bad actors love access to a network’s switch. Access to a switch opens vulnerabilities to
attacks. ARP spoofers steal the MAC addresses of legitimate systems, enabling man-inthe-middle/on-path attacks. Denial-of-service attacks can flood a switch with confusing
06-ch06.indd 344
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
345
I’m one plug away
from totally nailing
your network. Sweet!
Figure 6-17 Just give me one port, just one…
MAC information. An attacker can plug in a rogue DHCP server, knocking systems off
the network. They can start sending out IPv6 neighbor discovery packets, telling the
hosts that the attacking system is their gateway and redirecting traffic (Figure 6-17).
Switch ports require security to protect against these attacks. Flood guards and loop
prevention are a few of the features you’ll see in all better switches. Keep in mind that
port security is applied to individual ports.
Broadcast Storm Prevention Attackers use traffic floods primarily to conduct denialof-service attacks on networks and hosts, since many hosts and network devices don’t
always react very favorably to excessive amounts of traffic or malformed traffic. Because
flooding is a routine tactic of attackers, most modern network devices (and even some
hosts) have flood protection built into their operating systems. These flood guards or
broadcast storm prevention features work by detecting excessive traffic (by volume, as well
as by rate of speed) and take steps to block the traffic or even turn off the offending
port, so that the host doesn’t have to process it. Most security devices, such as intrusion
detection systems, firewalls, and robust network devices like better switches, have flood
guards built in.
NOTE Flood guards protect against DoS attacks by limiting the number of
new MAC addresses accepted.
Another common feature on better switches is called media access control (MAC) filtering (or persistent MAC or sticky MAC addressing). In many networks, a tech plugs a host
into a port and the host stays there for years. The network administrator configures the
switch port for that host to accept frames from only that MAC address, preventing bad
actors from unplugging the host and plugging in their evil system.
Many enterprise-level switches come with a feature known as Dynamic Host Configuration Protocol (DHCP) snooping. With a DHCP snooping–capable switch, the switch
is either automatically or manually given the IP addresses of the DHCP servers on your
06-ch06.indd 345
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
346
I’m a legit DHCP Server!
WANTED
No. You’re not!
12-34-56
78-9A-BC
12-34-56-78-9A-BC
Figure 6-18 Trusted DHCP server
network. If any device other than the DHCP servers with the known IP addresses tries
to send DHCP information, the server will automatically turn off its associated port
(Figure 6-18).
Loop Prevention Some floods happen just from misconfiguration. If two or more
pathways connect two switches, for example, this creates a loop, which then causes a
broadcast storm—a type of flood (Figure 6-19). All but the simplest switches implement
some kind of loop prevention, such as the Spanning Tree Protocol (STP).
STP is almost always enabled in the switch’s configuration. When turned on, STP
switches send out Bridge Protocol Data Unit (BPDU) guard frames every two seconds,
quickly stopping loops by automatically turning off one of the ports that’s supporting
the loop (Figure 6-20).
Network Access Control Network access control (NAC) provides network
protection and security by prohibiting hosts from connecting to the organization’s
infrastructure unless they meet certain criteria. A NAC device provides an entry point
or gateway into the network, typically for remote or mobile clients. This device checks
the health and security settings of the client—a host health check—against a specified set
of criteria before allowing it to access the network. For example, a NAC device could
check the client for the latest antivirus signatures, the latest security updates, and other
Figure 6-19
Loops are bad.
Bridge Loop
06-ch06.indd 346
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
347
Figure 6-20
STP to the rescue!
Turn off this port!
security configuration items. If the client does not meet these requirements, the NAC
device does not allow the client to connect to the network. Additionally, the NAC
device might be able to update the client dynamically or reconfigure certain options so
that the client could proceed with authentication and connection to the infrastructure.
NAC could also be used to authenticate devices, allowing only authorized devices
to connect. Normally, a NAC device would be placed on a secure segment within a
DMZ network.
NOTE Most networks that use NAC adopt a security position called Zero
Trust (described in Module 6-2). No device is trusted at all until it passes a
health check.
NAC supports devices using agents or runs agentless. Agent-based NAC tracks many
features of potentially inbound devices, such as software versions and so on. The agentbased approach enables very fine control over allowing a device to connect to the network. The criteria used for an agent-based approach can be permanent or dissolvable.
The former means the device that wants access to the network must have some software
loaded—that software stays loaded. A dissolvable agent system runs something once on
the device and admits or denies access; the software is then deleted.
Agentless NAC (such as one based on Windows Active Directory) would apply group
policy rules to enforce the controls that an agent-based NAC device would do directly.
Internet Connection Firewalls
We’ve covered firewalls twice so far in this book, first for individual hosts, then as a tool
to segment networks. Let’s move back to firewalls one more time, this time to the place
that most folks think about when they hear the word firewall: the default gateway.
Systems inside a LAN get their messages out of their LAN via a default gateway. The
default gateway connects directly (or indirectly through in-house routers) to an ISP, which
in turn connects to a router higher up on the Internet. Given the position of the default
gateway at the edge of the network, it is a natural location to place a firewall to protect the
local network. Network-based firewalls manifest in many ways, but the most common is
at the default gateway, which includes a bevy of firewall features (Figure 6-21).
06-ch06.indd 347
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
348
Figure 6-21 Typical gateway
EXAM TIP Given the setup of most networks these days, the default
gateway often also acts as a network address translation (NAT) gateway,
enabling many internal devices to use private IP addresses and access the
Internet through a single public IP address. You’ll recall how NAT works from
CompTIA Network+. For CompTIA Security+, think of scenarios using NAT as
a typical implementation of secure network designs.
This firewall manifests in many ways. SOHO environments see firewalling software
added to the router directly. Larger networks require a different solution. As with so
many other network components, firewalls can be software-based or dedicated hardware
boxes. They come as open-source software or as proprietary software.
06-ch06.indd 348
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
349
EXAM TIP Look for comparison questions on the CompTIA Security+ exam
that explore hardware vs. software firewalls and open-source vs. proprietary
firewall software solutions.
The primary function of any firewall is to inspect incoming IP packets and block
the packets that could potentially hurt the hosts on the LAN. To do this, today’s firewalls have three very different methods: stateless, stateful, and application-based. The more
advanced firewalls —called next-generation firewalls—combine multiple methods.
Stateless Firewalls
A stateless firewall looks at every incoming packet individually without considering anything else that might be taking place (ergo stateless). Stateless firewalls, also called packet
filters, are the oldest type of firewall. If you’re going to have a firewall inspecting every
packet, you must have some form of checklist that the firewall uses to determine whether
a packet should be blocked. This is the router’s access control list (ACL). The ACL for an
Internet gateway firewall is a unique tool that defines what makes a packet good or bad.
A stateless firewall’s ACL can only define aspects of an IP packet to filter. A typical
ACL would include these aspects:
• IP address Block specific incoming/outgoing, destination/source IP addresses
or complete network IDs
• Port number Block specific incoming/outgoing, destination/source port
numbers or ranges of port numbers
• Time/date Block based on time of day, day of week
A stateless firewall makes it easy to combine filters to create surprisingly sophisticated
ACL rules. You can set up a basic home firewall, for example, to keep your child’s desktop
system from accessing any Web pages (ports 80 and 443) between the hours of 10 p.m.
and 6 a.m. on school nights. Figure 6-22 shows the ACL interface for a home router with
a built-in firewall.
One feature of all ACLs is the idea of implicit deny. Implicit deny means that by
default there is no access unless the ACL specifically allows it. For example, every firewall’s ACL denies all incoming IP packets unless a particular packet is a response from a
request initiated by one of the hosts on your LAN.
Stateless firewalls are simple and work well in many situations, but fail miserably
where inspecting and blocking without consideration of the state isn’t helpful. Consider
a simple FTP session, run in the classic active mode:
1. A host inside the LAN (1.2.3.4) initiates a connection to an outside FTP server
(2.3.4.5) using destination port 21 and, for this example, a source port of 12,345.
2. The firewall notes that an internal host has initiated an outgoing connection on
port 21.
3. The FTP server responds to 1.2.3.4, port 12,345 with source IP address 2.3.4.5
and source port 21. The firewall recognizes this incoming connection as a response
and does not block it.
06-ch06.indd 349
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
350
Figure 6-22 Firewall ACL interface
4. The FTP server initiates a data connection to 1.2.3.4, port 12,345 with source
address IP 2.3.4.5 and source port 20.
5. The firewall does not recognize this incoming connection and, because of implicit
deny, blocks the connection.
Stateless firewalls were such a problem for FTP that the FTP protocol was redesigned
to use a second, passive mode. Passive mode only uses port 21.
Just as you can harden a switch against bad actors spoofing a legitimate system’s MAC
addresses, you can protect against IP address spoofing with a firewall. Helping to prevent
IP address spoofing on our networks is one area where stateless firewalls still do a great job.
Routers can use several antispoofing techniques. A very popular one is to have a router
query its DHCP server for legitimate systems on the network. Every initial packet going
out is cross-checked against the DHCP server’s IP address list.
06-ch06.indd 350
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
351
Stateful Firewalls
A stateful firewall understands the procedures and processes of different Internet protocols and filters any form of communication that is outside of proper procedures. A
stateful firewall understands several functions expected in normal TCP and UDP communication and uses that intelligence to inspect the state of that connection. Stateful
firewalls collect several packets in a connection and look at them as a state to determine
if the communication meets correct protocol steps. One great example is how a stateful
firewall can monitor a TCP connection. Every TCP connection starts with three messages, known as TCP’s three-way handshake:
1. The initiating system sends a SYN message, requesting a TCP connection.
2. The responding system sends a SYN/ACK message, informing the initiating
system it is ready to start a connection.
3. The initiating system sends an ACK message, acknowledging the responding system.
Figure 6-23 shows a Wireshark capture of a three-way handshake.
Let’s say we have a stateful firewall protecting a Web server. It allows the incoming
SYN connection from an unknown Web browser (a firewall protecting a public-facing
server must allow incoming connections), but it stores a copy of the incoming packet in
a table. It also allows the outgoing SYN/ACK packet from its server and keeps a copy of
Figure 6-23 TCP three-way handshake
06-ch06.indd 351
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
352
that as well. When the Web browser responds with a proper ACK message, the firewall
sees this as a good connection and continues to keep the connection open. If the Web
browser does anything that makes the stateful firewall think the connection is outside
of the protocol, on the other hand, it will block the connection for a certain amount
of time.
Stateful firewalls don’t have ACLs. They come from the manufacturer with all the
state-smarts they’re ever going to have. For most stateless firewalls, it’s simply a matter of
turning them on or off to enable or disable firewall duties.
NOTE Very advanced stateless firewalls (from companies like Cisco or
Juniper) may have a few filters (don’t call them ACLs) for their stateless
firewalls, but those are outside the scope of the CompTIA Security+ exam.
Application Firewall
An application firewall has deep understanding of both the stateful and stateless aspects
of a specific application (HTTP is by far the most common type of application firewall)
and can filter any traffic for that application that could threaten it. Application firewalls
can be thought of in two different contexts. In the first, an application firewall is an
appliance—a box—or network device that works at all seven layers of the OSI model and
can inspect data within protocols.
Think of a situation in which HTTP traffic is filtered in a firewall. In an ordinary
stateful firewall, the traffic is filtered based upon an established connection from an
internal host. HTTP traffic is allowed in or out based upon whether the protocol itself is
allowed, over which port the traffic is destined, its source or destination IP address, if it is
the result of an established connection, and so on. This means that filtering is done based
upon the characteristics of the traffic itself, rather than the content of the traffic. Application firewalls look at the content of the traffic as well, in addition to its characteristics.
So, if HTTP is otherwise allowed into the network, an application firewall also looks at
the content of the HTTP traffic, often detecting whether the content itself is allowed.
EXAM TIP A typical application firewall acts as a content/URL filter, blocking
traffic based on the content of the traffic and on the source URL.
Application firewalls can be network-based or host-based; in the context of our discussions for this module, host-based firewalls are more relevant. Although most industrial
static hosts do not use application firewalls specifically on their platforms, some of the
more modern hosts, especially consumer devices, do have them. A host-based application
firewall controls the applications and services on that device only, and it secures their
connections to the network and interfaces with each other.
NOTE Application firewalls are often referred to as Layer 7 firewalls because
OSI Layer 7 is also known as the Application layer.
06-ch06.indd 352
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
353
Figure 6-24 Barracuda cloud WAF settings
Given the huge number of Web applications living in the cloud, just about every
manufacturer of application firewalls for Web apps—appropriately named Web application firewalls (WAFs)—also provides cloud-based virtual appliances (Figure 6-24).
EXAM TIP Look for questions on the CompTIA Security+ exam that
compare firewall implementations, from appliance vs. host-based vs. virtual.
Appliance assumes a dedicated hardware box; host-based relies on software
running on a workstation; virtual has software running in a virtual machine
to handle the firewall duties.
In a way, we can separate application firewalls from stateless and stateful firewalls in
terms of their primary job. Application firewalls are designed to protect public-facing
servers providing specific applications, so we can call them application-based firewalls.
Stateless and stateful firewalls mainly protect LANs from the many evils that come from
the Internet, so we can call them network-based firewalls. If you don’t have a public Web
application server or an e-mail server (or a few other applications), you have no need for
this type of firewall.
Next-Generation Firewalls
A next-generation firewall (NGFW) functions at multiple layers of the OSI model to
tackle traffic no traditional firewall can filter alone. A Layer 3 firewall can filter packets
based on IP addresses, for example. A Layer 5 firewall can filter based on port numbers.
Layer 7 firewalls understand different application protocols and can filter on the contents
of the application data. An NGFW handles all of this and more.
06-ch06.indd 353
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
354
An NGFW implements all sorts of traffic inspection policies at all layers. These include
Ethernet rules (Layers 1 and 2), NAT rules (Layer 3), and HTTPS rules (Layer 7). An
NGFW can grab and decrypt SSL/TLS traffic (HTTPS) and inspect it. This helps protect against and remove malware before it nails the network.
EXAM TIP You’ll see NGFW at work in the CompTIA Security+ exam doing
Secure Sockets Layer (SSL)/Transport Layer Security (TLS) inspection. That’s all
about grabbing and examining encrypted packets.
As you might suspect, NGFW appliances function just fine with both IPv4 and IPv6
networks, or both for that matter. A typical NGFW can get an IP address from DHCP
or DCHCv6 and play well with stateless IPv6 auto-configuration. When thinking about
implications of IPv6 for a network, moving to an NGFW might make the best option
for future-proofing your security.
Securing Servers
Anyone providing a server that offers any service to the public Internet has a big security
job ahead of them, and the CompTIA Security+ exam objectives reflect the importance
of this effort with many security topics covering what it takes to protect servers. In fact,
all of Chapter 8 goes into detail on what’s needed to protect different Internet services,
such as Web and e-mail.
Before we start lighting up Web or e-mail servers, there’s a lot we can do to place
them in a safe place in which they can operate quickly and safely. We can choose from
among many specialized security appliances to add to any network that supports one or
more Internet servers, regardless of what type of Internet service they provide, to provide
security.
Proxy Servers
The Internet is filled with servers and the clients that access them. In many situations,
we find it helpful to put a box between the client and the server for certain applications.
These boxes accept incoming requests from clients and forward those requests to servers.
Equally, these boxes accept responses from servers and then forward them to the clients.
These boxes are known as proxy servers or often just proxies.
EXAM TIP Proxies work at the application level. There are Web proxies, e-mail
proxies, FTP proxies, and so forth. Multipurpose proxies support multiple
applications.
Proxies come in one of two forms: forward or reverse. A forward proxy is known to the
client system, often in the same LAN, taking the requests from the client, maybe doing
something with the request, and then forwarding the request to the server just like any
other client (Figure 6-25).
Forward proxies are popular in organizations such as schools where the network
administrators need to apply security controls to Internet access. A forward Web proxy
06-ch06.indd 354
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-3: Implementing Secure Network Designs
355
Hey Proxy, please forward my
SYN request to Server?
Hey Server, I’m just a client,
here’s a request. SYN!
Oh, OK! SYN/ACK!
Sure.
Forward
Proxy
Client
Server
Figure 6-25 Forward proxy
almost always includes a strong firewall to check outgoing requests for blocked URLs,
time-of-day restrictions, and anything else that needs be monitored to support the security policies of the organization.
A reverse proxy is used to protect servers. Reverse proxies are usually inside the same
LAN as the servers. They always contain an application firewall to check the incoming
requests for attack vectors and then pass the good requests to the server (Figure 6-26).
Proxies work at the application level, so traditionally a system’s application must be
configured to use a proxy. If a client is to use a forward Web proxy, then every Web
browser on every client is configured to use it. Figure 6-27 shows the proxy settings in
a Web browser.
All this configuration is a pain, especially if you have a thousand users all using different Web browsers. So why not let your router simply inspect all the data going out on
the application’s port numbers and simply redirect those packets to your proxy? That’s
the idea behind a transparent proxy. Most forward proxies support a transparent mode to
do just this.
Hey Server, I’m just a client,
here’s a request. SYN!
Hey Server, I’ve got a request.
SYN!
Oh, OK! Proxy.
SYN/ACK!
Sure.
Client
Reverse
Proxy
Server
Figure 6-26 Reverse proxy
06-ch06.indd 355
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
356
Figure 6-27 Web proxy settings
Deception and Disruption
Network security professionals and network administrators can set up systems to entice
and lure would-be attackers into traps. These deception and disruption systems are so
very sweet: honeyfiles, honeypots, and honeynets. And then there’s the DNS sinkhole, a
related technology. Let’s take a look.
A honeyfile baits attackers to access it on a file server. The file name “passwords” could
trigger an alarm when anyone accesses the honeyfile.
A honeypot is a host designed to be compromised, so it has multiple vulnerabilities. A
honeypot is placed on the network to attract the attention of malicious hackers, hopefully drawing them away from other, more sensitive hosts. If an attacker victimizes a honeypot, you can study his methods and techniques to help you better protect the actual
network against those same methods and techniques.
Honeypots can be boxes that are misconfigured or intentionally not patched, or they
can be prebuilt virtual machines. There’s even software out there that can emulate dozens or hundreds of hosts at the same time, spanning several different operating systems,
including different versions of Windows, Linux, macOS, UNIX, and so on.
06-ch06.indd 356
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-4: Virtual Private Networks
357
A honeynet, as you might guess, is an entire network of honeypots on their own network segment, used to get a hacker bogged down in a decoy network while the administrator locks down and secures the sensitive network and records and tracks the actions
of the hacker.
Network deception techniques such as these can use fake assets, fake data, and fake
telemetry (like server load, availability, memory consumption), all to gather intelligence
on hacker techniques and sophistication.
A DNS sinkhole acts as a DNS server (or a DNS forwarder) for a LAN. The DNS
sinkhole contains a list of known domains associated with malware, ad networks, and
other forms of undesirable code. When a host on the LAN requests a DNS resolution,
the DNS sinkhole compares the request to the list of known negative sites and, if there is
a match, responds with a blank or null IP address. The effect of a working DNS sinkhole
is the blocking of almost every advertisement for every system on the LAN with almost
no negative performance impact on the LAN.
Module 6-4: Virtual Private Networks
This module covers the following CompTIA Security+ objectives:
• 3.1 Given a scenario, implement secure protocols
• 3.3 Given a scenario, implement secure network designs
A virtual private network (VPN) uses the public Internet as a direct connection
between a single computer and a faraway LAN or between two faraway LANs. This is
not a remote desktop connection or a terminal or a Web page connection. A VPN puts
a single system or a separate LAN on the same broadcast domain, the same Layer 2 connection, just as if the faraway system plugged directly into the LAN’s switch.
A successful VPN connection gives your remote system an IP address on your LAN.
You can print from the remote system to your LAN’s printers. You can see all the shared
folders on other computers on the LAN. You are there. Well, at least your Ethernet
frames are there.
VPNs are incredibly powerful for remote single users or remote networks that need
to get to a LAN’s internal servers. VPNs are a well-established technology and are easy
to implement. Most enterprise environments have VPN access for employees and, in
some cases, vendors. SOHO environments can use VPNs as well. My home network, for
example, is configured to let me access my home network from anywhere on the Internet.
Given the popularity of VPNs and given the fact that they enable people to move
potentially sensitive data securely across the wide-open Internet, VPNs are a very attractive target for the CompTIA Security+ exam. This module dives into VPNs, first describing how they work and then looking at the many protocol choices available for setting
up a VPN.
06-ch06.indd 357
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
358
EXAM TIP Expect several questions on VPN scenarios on the CompTIA
Security+ exam. In essence, a VPN boils down to making a secure connection
to access remote resources as if they were local resources. Implement secure
protocols (like IPsec) to make the VPN connections and thus implement
secure network designs.
How VPNs Work
To make a faraway computer manifest as a local computer on your LAN, you need to do
several actions. First, you need to connect to the other network over the Internet. That
means you need a system with a public IP address that accepts VPN connections. Second, you need to create a second network connection that uses the Internet connection
you’ve established to allow you to send LAN traffic over the Internet. Third, you should
encode your data to keep private whatever files, print jobs, or other information you send
to the faraway LAN.
VPNs work in one of two different ways. You can connect a single system to an existing LAN in what is called remote access, or you can connect two complete LANs in siteto-site. Figure 6-28 shows the two options.
To make a connection, at least one system must have a VPN server, more commonly
called a VPN concentrator, designed to accept remote connections from either a single
system (for remote access) or another VPN concentrator (for site-to-site). A VPN concentrator is often special VPN software installed on edge routers, or it may be VPN
server software installed on a system inside your network. In either case, one system connects to the VPN server and makes a connection (Figure 6-29).
VPN connections require tunneling or embedding of IP traffic inside other packets.
The VPN to VPN connection gets made, in other words, and then the true traffic happens inside the secure connection. The VPN concentrators continually insert the local
How do I join
that faraway
network?
How do we
join that
faraway
network?
Remote Access
Site-to-site
Figure 6-28 Remote access vs. site-to-site
06-ch06.indd 358
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-4: Virtual Private Networks
359
Internet
VPN Concentrator
Internet
Figure 6-29 VPN concentrators added
traffic in Internet packets and send them through the tunnel; or they receive incoming
Internet packets, strip away the outer IP information, and send the remaining frame to
the local network (Figure 6-30).
EXAM TIP Site-to-site VPN concentrators generally never disconnect. We call
these always-on VPNs.
One early problem with VPNs was that once you connected to a LAN, that was your
only connection. Your IP address and default gateway were on that LAN; you used that
LAN’s DHCP and DNS servers. That meant if your computer was connected to a VPN
and opened a Web browser, your computer went through the VPN connection and then
went back out and used the Internet connection on your LAN. This is called a full tunnel and is a terrible way to get to the Internet. Current VPN technologies enable you
Figure 6-30
VPN tunnel on
one endpoint
Internet
TUNNE
L
06-ch06.indd 359
LAN PACKET
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
360
to configure a VPN connection to send only LAN traffic through the tunnel. All other
traffic ignores the tunnel. This is a split tunnel and is the most common type of tunnel.
EXAM TIP The CompTIA Security+ exam will most likely ask you to
differentiate between split-tunnel vs. full-tunnel VPN connections.
Early VPNs
The first VPNs used one of two competing protocols. The Point-to-Point Tunneling
Protocol (PPTP) was developed by Microsoft to include VPN connection technologies
within Microsoft operating systems. PPTP enables a client to send data in it, much as
you would a letter in an envelope. The PPTP packet contains the destination IP address
of the network you are attempting to connect to. Inside this PPTP envelope is the traffic
that will pass through the external VPN connection device intended for the destination
network. This traffic would not be secure using PPTP alone; Microsoft uses its proprietary Microsoft Point-to-Point Encryption (MPPE) protocol to secure traffic traveling
over PPTP. PPTP uses TCP port 1723. It’s rarely seen over VPN connections these days,
as most modern VPNs use some form of IPsec or SSL/TLS VPNs, described later.
Layer 2 Tunneling Protocol (L2TP) was developed jointly by Microsoft and Cisco, but it
has become an Internet standard. Microsoft contributed aspects of its PPTP, while Cisco
used its proprietary Layer 2 Forwarding (L2F) protocol. Like PPTP, L2TP is only an
encapsulation protocol, simply providing transport services and protecting data through
untrusted networks (such as the Internet) to get it to a destination network. L2TP still
sees some adoption but is also fading to IPsec and SSL/TLS VPNs.
IPsec VPNs
Internet Protocol Security (IPsec) is a security protocol that works at the Network layer
of the OSI model. IPsec was developed to provide security services (authentication and
encryption) for IP traffic, since IP does not have any built-in native security protections.
Three major protocols make up IPsec: AH, ESP, and ISAKMP.
NOTE CompTIA lists IPsec with an uppercase S, IPSec. That’s not accurate
and never has been, but CompTIA uses the incorrect casing on every
certification objective (not just Security+) that references IPsec.
The Authentication Header (AH) protocol provides authentication and integrity services for IP traffic. AH can be used on the entire IP packet, including the header and
data payload.
The Encapsulating Security Payload (ESP) protocol takes care of encryption services.
ESP can provide protection for the entire IP packet, depending the IPsec mode used,
transport or tunnel.
06-ch06.indd 360
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-4: Virtual Private Networks
361
Encrypting the IP header can cause problems if routers and other devices can’t read the
header information, including the source and destination IP addresses. Between hosts on
a network, the header information isn’t usually required to be encrypted, so ESP doesn’t
have to be used. This is called IPsec’s transport mode. In transport mode, header information is not encrypted so that hosts and network devices can read it. The data, on the other
hand, can be encrypted to protect it, even within a LAN.
IPsec tunnel mode is used when IP traffic is encapsulated and sent outside of a LAN,
across WAN links to other networks. This is what happens in VPN implementations that
use IPsec. In tunnel mode, since the IP packet is encapsulated in a tunneling protocol
(such as L2TP), all the information in the packet, including headers and data payload, can
be encrypted. So, ESP is typically used only in tunnel mode.
The third IPsec protocol—Internet Security Association and Key Management Protocol (ISAKMP)—is used to negotiate a mutually acceptable level of authentication and
encryption methods between two hosts. This acceptable level of security is called the security association (SA). An SA between two hosts defines the encryption type and method,
algorithms used, types of cryptographic keys and key strengths, and so on. The Internet
Key Exchange (IKE) protocol—IKEv2 these days—is used in ISAKMP to negotiate the
SA between hosts. IKE uses UDP port 500 to accomplish this.
While IPsec is usually seen in VPN implementations paired up with L2TP as its tunneling protocol, IPsec can be very effective in securing traffic within a LAN, particularly
sensitive traffic between hosts that an organization wouldn’t want to be intercepted and
examined. IPsec offers a wide variety of choices for encryption algorithms and strengths
and is very flexible in its configuration. You can choose to protect all traffic between
certain hosts or protect only certain aspects of traffic, such as certain protocols or traffic
that travels between certain ports.
TLS VPNs
The only serious competitor to IPsec VPNs is VPNs using the SSL/TLS protocol. This
is the same SSL/TLS protocol used in secure Web pages. SSL/TLS VPN connections
don’t require special client software installed on the system that wants to connect to the
remote network. That system uses only a Web browser and SSL/TLS security to make
the VPN connection.
EXAM TIP Sophos has a Unified Threat Management (UTM) system on
Amazon Web Services (AWS) that enables you to log into AWS and get a list
of predefined network services. The system requires an HTML5-compliant
browser—so the latest Chrome, Firefox, or Safari work fine—but the catch
is interesting: you can only access content remotely; you can’t download
content to your local machine. Sophos calls its service a VPN portal—and
CompTIA includes HTML5 VPN as a VPN option. Be aware that this exists for
the exam.
06-ch06.indd 361
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
362
Module 6-5: Network-Based Intrusion
Detection/Prevention
This module covers the following CompTIA Security+ objectives:
• 3.2 Given a scenario, implement host or application security solutions
• 3.3 Given a scenario, implement secure network designs
Network-based intrusion detection systems (NIDSs) and network-based intrusion prevention systems (NIPSs) look at attacks coming into the network at large instead of into a
host. Attacks could be in the form of malformed network traffic or excessive amounts of
traffic that would easily exceed a host’s threshold to handle effectively. An attack could
also manifest as malicious content embedded in traffic or other forms of malware. Network intrusion handling also might look at massive DDoS conditions, such as those
caused by botnet attacks. (More on this specific attack in Chapter 8.)
Detection vs. Prevention
One point of interest is the difference between a NIDS and a NIPS. A NIDS is a passive
device and focuses on detection alone, making it a detection control. It detects network
traffic issues and alerts an administrator to these issues, also logging the events in the process. A NIPS, in contrast, is an active (CompTIA Security+ uses the term inline) device
and focuses not only on detecting network attacks but also on preventing them.
EXAM TIP The CompTIA Security+ exam will most likely ask you to contrast
inline vs. passive network-based intrusion systems. NIPS are inline; NIDS
are passive.
In addition to performing the same functions as a NIDS, a NIPS also tries to prevent
or stop attacks by taking a series of preconfigured actions, based upon the characteristics
of the attack. A NIPS may dynamically block traffic from a certain source address or
domain, for example, or block a certain port or protocol if it detects issues with it. A
NIPS can take other actions as well, such as shunting traffic to other interfaces, initiating
other security actions, tracing the attack back to its origin, and performing some analysis
on the attack, but whether a particular NIPS can perform these actions depends on the
feature set of that NIPS.
Detecting Attacks
Whether your goal is to detect and prevent attacks or solely to detect them, networkbased intrusion tools need some method to detect attacks. In general, NIDS/NIPS solutions act very much like firewalls in that they inspect packets. Detection falls into four
types: behavior, signature-based, rule, and heuristic.
06-ch06.indd 362
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-5: Network-Based Intrusion Detection/Prevention
363
NOTE Many NIDS/NIPS vendors’ detection solutions perform combinations
of these four types of detection.
Behavior/Anomaly
A behavior- or anomaly-based system detects attacks after comparing traffic with a baseline of patterns considered normal for the network. For this to work, the intrusion detection system must be installed and then given the opportunity to “learn” how the normal
flow of traffic behaves over the network. This can take time, but once the NIDS/NIPS
establishes a good baseline of normal network traffic, the system will detect any unusual
or anomalous traffic patterns that don’t fit into the normal network traffic patterns and
issue alerts on them as potential attacks.
NOTE Anomaly-based systems rely on rules and heuristic methods to
determine when behavior on the network differs from normal. See the
upcoming “Rule” and “Heuristic” sections for more details.
Signature
A signature-based system, on the other hand, uses preconfigured signature files (similarly to
how anti-malware applications work), which are stored in the NIPS/NIDS database. These
signatures define certain attack patterns based upon known traffic characteristics. Like an
anti-malware solution, a signature-based NIDS/NIPS must also have its signatures database
updated frequently, since the security community records new attack patterns often. These
updates will usually come through a subscription-based service from the NIDS/NIPS vendor, although some community or open-source signatures may be available as well.
Rule
A rule-based system uses preconfigured rules in a ruleset, much like a firewall, to detect
possible attacks. For example, if the system detected an excessive (beyond a set number or
threshold) number of ICMP packets directed at a destination IP address on the network,
the system would activate a rule, send an alert to administrators, and, in the case of a NIPS,
stop the attack. Obviously, an administrator could configure unique rules for the organization based on its network environment and historical attack experiences, but these types
of systems are also usually included as part of either a signature- or behavior-based system.
Heuristic
Finally, a heuristic system combines the best of both anomaly-based and signature-based
systems. It starts out with a database of attack signatures and adapts them to network
traffic patterns. It learns how different attacks manifest themselves on the network in
which it is installed and adjusts its detection algorithms to fit the combination of network traffic behavior and signatures.
06-ch06.indd 363
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
364
Which Is Best?
There’s no way to answer that question, and in fact, detection systems are evolving
so quickly that even these four types, while sufficient for purposes of the CompTIA
Security+ exam, are arguably too simple when applied to the most modern NIDS/NIPS
solutions. Although there are advantages and disadvantages to both anomaly-based and
signature-based systems, often, modern NIDS/NIPS are hybrid systems and may use
both techniques.
NOTE Host-based IDS/IPS solutions are almost always signature-based
products.
The big measurement for the quality of a NIDS/NIPS boils down to the solution’s
detection analytics, as in how accurately they parse data. The goal of a NIDS/NIPS is to
detect attacks and, in the case of the NIPS, do something about them. The great issues
are false positive and false negative rates. Too many false positives will give you heartburn
as you continually jump up and down from alarms that mean nothing. A false negative is
even worse, as that means your NIDS/NIPS fails to catch actual attacks. The secret is to
adjust the sensitivity of the NIDS/NIPS to create the best balance possible.
EXAM TIP Look for an exam question about advanced persistent threats
(APTs), such as a terrorist organization trying to hack into a government
agency, and the tools used to stop these attacks. Better security appliances
implement unified threat management (UTM), marrying traditional firewalls
with other security services, such as NIPS, load balancing, and more.
Configuring Network-Based IDS/IPS
In general, a NIDS/NIPS consists of many components. The core component of any
IDS/IPS is the sensor, the device that monitors the packets, searching for problems.
Given the nature of detection versus prevention, a NIPS sensor must be installed in-band
to your network traffic, while a NIDS sensor, being passive, is normally installed out-ofband. In-band in this context means the sensor processes all the traffic flowing through
the network in real time. An out-of-band sensor processes traffic, in contrast, but not
in real time. Figure 6-31 shows two sensors installed in a DMZ as examples of in-band
versus out-of-band installation.
All packets must go through in-band sensor devices. Out-of-band sensor devices need
some form of network connection that enables them to see all the traffic. Just plugging
it into a switch only allows the sensor to see traffic to and from the switch plus broadcast
traffic. If you want an out-of-band device to grab packets, you need a network tap or a
port mirror.
06-ch06.indd 364
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Module 6-5: Network-Based Intrusion Detection/Prevention
365
Figure 6-31
In-band and
out-of-band
installations
Out-of-band
In-band
DMZ
LAN
Network TAP
A network TAP—test access point—is a device that you can insert anywhere along a
run to grab packets. The network TAP in Figure 6-32 works for 10/100/1000-BaseT
Ethernet runs. You place this in the run (you’ll need to run a few patches and cables for
in/outs) and then add an out-of-band sensor to the right-hand side.
Port Mirroring
A port mirror (also called a Switched Port Analyzer, or SPAN, in Cisco devices) is a special port on a managed switch configurable to listen for all data going in and out of the
switch. Unlike a network TAP, port mirroring is convenient and easily changed to reflect
any changes in your NIDS/NIPS monitoring strategy. Port mirroring solutions are very
handy when you want to monitor more than one VLAN at a time.
Be careful about terminology here. Some folks refer to port mirroring as copying the
data from a single switch port to a monitoring port, while referring to port spanning as
grouping multiple ports (or all of them) to a monitor port.
Figure 6-32 Garland Technology Network TAP P1GCCB (Photo courtesy of Garland Technology,
www.garlandtechnology.com)
06-ch06.indd 365
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
366
EXAM TIP For some reason, objective 3.3 on the CompTIA Security+ exam
blurs some terms, calling a network TAP a port tap, for example, and SPAN
under port mirroring, port spanning. Don’t get confused between a TAP
and a SPAN.
UTM
Many vendors sell single-box solutions to handle routing, firewalling, proxy, antimalware, and NIPS. These unified threat management (UTM) boxes are excellent for
several situations (especially when you have a single Internet access and no public-facing
server). One area in which UTM thrives is monitoring: with only a single appliance to
query, it’s easy to get the information you need. Yet if you have a more complex NIDS/
NIPS setup, monitoring the NIDS/NIPS gets a bit more complex.
Monitoring NIDS/NIPS
A newly installed NIDS/NIPS is only as good as the organization around it that handles
the monitoring. Even the most automated NIPS needs a surprisingly high degree of
monitoring, making sure humans react to attacks and remediate as needed. When you
find yourself in a situation where this much monitoring takes place, you’ll find security
information and event management (SIEM). We’ve already discussed SIEM broadly back
in Chapter 4, but now that we have a specific job to do, let’s revisit SIEM. This time we’ll
plug in a few parts of a typical SIEM installation for aggregation and correlation.
Collecting Data
When it comes to SIEM, it’s all about aggregation: collecting data from disparate sources
and organizing the data into a single format. Any device within a SIEM system that collects data is called a collector or an aggregator. In a simpler NIPS setup with three sensors,
it’s common to have a single server that acts as a collector, querying the sensors for data
in real time.
Correlation
The next part of SIEM that fits nicely into NIDS/NIPS is correlation. Correlation is the
logic that looks at data from disparate sources and can make determinations about events
taking place on your network. (Note that a correlation engine could be in-band or outof-band, depending on the placement of the NIDS/NIPS.)
In its simplest form, a correlation engine might query a log, see that the same event is
logged from three different sources, and eliminate duplicates (event deduplication). A correlation engine uses the event of time constantly, so it’s critical that all devices have time
synchronization for correlation engines. A well-correlated log will have common fields
for which we can configure the NIPS system for automated alerts and triggers. Finally, it’s
critical that all logs are archived.
06-ch06.indd 366
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Questions
367
Endpoint Detection and Response
Several security manufacturers have taken a further step in integrating security solutions
to their advanced network appliances. Firewalls provide classic endpoint protection,
blocking traffic from getting to a user’s system, for example, or blocking attackers from
accessing network resources. NIPSs actively monitor traffic that could pose a threat and
act decisively to stop that activity.
Very sophisticated systems called endpoint detection and response (EDR) essentially
combine an NGFW with a NIPS on steroids to provide end-to-end monitoring, analysis, response to threat, and forensics for additional research. Full EDR systems have
rolled out since 2017 and will undoubtedly gain market share, at least at the high-end
enterprise level.
Questions
1. Which network device enables sharing among multiple servers to provide security
and efficiency?
A. Load balancer
B. Proxy server
C. Screened subnet
D. VPN
2. Which network device is used to send traffic to different physical networks, based
upon logical addressing?
A. Router
B. Switch
C. Load balancer
D. Firewall
3. Which type of device is used to provide network protection and security by
preventing hosts from connecting to the organization’s infrastructure unless they
meet certain criteria?
A. Switch
B. NAT device
C. Firewall
D. NAC device
4. All of the following characteristics describe VLANs, except:
A. VLANs require routing between them.
B. VLANs separate hosts into logical networks.
C. VLANs can be used to apply security policies and filtering to different segments.
D. VLANs allow any host plugged into the switch to become a member of the
virtual segment.
06-ch06.indd 367
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Chapter 6: The Basic LAN
368
5. Which of the following would be needed to block excessive traffic from a
particular protocol?
A. Broadcast storm prevention
B. Loop protection
C. ACL
D. 802.1X
6. Which of the following describes a network appliance that intercepts user or host
requests and then makes those requests to other hosts or networks on behalf of
the user?
A. Proxy
B. Firewall
C. NIDS
D. NIPS
7. Alix sets up a firewall for her organization that inspects traffic at Layers 2, 3, and 7.
What type of firewall did she most likely install?
A. Application
B. NGFW
C. Stateful
D. Stateless
8. A NIPS is considered a __________ type of control.
A. detective
B. preventive
C. network
D. host
9. Which of the following terms refers to a combination of multifunction
security devices?
A. NIDS/NIPS
B. Application firewall
C. Web security gateway
D. Unified threat management
10. Which of the following does an application firewall focus on for traffic filtering?
A. Traffic content
B. Protocol and port
C. Source or destination IP address
D. Domain name
06-ch06.indd 368
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 6
Answers
369
Answers
1. A. A load balancer enables sharing among multiple servers to provide security
and efficiency.
2. A. A router is used to send traffic to different physical networks, based upon
logical addressing.
3. D. A network access control (NAC) device is used to provide network protection
and security by preventing hosts from connecting to the organization’s infrastructure
unless they meet certain criteria.
4. D. VLANs do not allow any hosts plugged into the switch to automatically
become a member of the virtual segment; membership is based upon switch port,
MAC address, or IP address.
5. A. A broadcast storm prevention implementation, such as a flood guard, is used
to block excessive traffic from a particular protocol.
6. A. A proxy is a network appliance that intercepts user or host requests and then
makes those requests to other hosts or networks on behalf of the user.
7. B. A next-generation firewall works at multiple layers of the OSI model.
8. B. A network-based intrusion prevention system (NIPS) is considered a preventive
type of control.
9. D. Unified threat management (UTM) refers to a combination of multifunction
security devices.
10. A. An application firewall focuses on traffic content for filtering, rather than on
traffic characteristics.
06-ch06.indd 369
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Blind Folio 370
This page intentionally left blank
06-ch06.indd 370
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
CHAPTER
Securing Wireless LANs
7
It’s all about sound. It’s that simple. Wireless is wireless, and it’s digital. Hopefully
somewhere along the line somebody will add more ones to the zeros. When digital
first started, I swear I could hear the gap between the ones and the zeros.
—Eddie Van Halen
Modern networks incorporate wireless networks using the 802.11 standard, Wi-Fi,
enabling laptops, tablets, and smartphones to connect to the wired resources, such as
file servers and printers. Wireless networks, however, represent a broad attack surface
that, if not secured properly, provides excellent opportunities for attackers to access those
same resources. Thus, a key component of network security is to lock down wireless networks sufficiently to keep out attackers yet still enable authorized users to access network
resources easily. This involves installing and configuring wireless security settings, such
as cryptographic and authentication protocols, to secure the 802.11 wireless network,
as described in this chapter. This chapter explores topics in securing wireless LANs in
three modules:
• Networking with 802.11
• Attacking 802.11
• Securing 802.11
Module 7-1: Networking with 802.11
This module covers the following CompTIA Security+ objectives:
• 3.4 Given a scenario, install and configure wireless security settings
• 3.8 Given a scenario, implement authentication and authorization solutions
A reader posed this question: “If you could pick one attack surface to try first to penetrate a network, what would it be?” Perhaps not surprisingly at this point in the book,
my answer was “Go for the Wi-Fi!” From the day 802.11 first rolled out in the very late
1990s, the 802.11 standard has shown several vulnerabilities, from the well-documented
WEP and WPS exploits to more sophisticated attacks such as the TLS handshake.
371
07-ch07.indd 371
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
372
Figure 7-1
Wireless systems
provide a
tempting attack
surface.
?
C’mere, little
WAP!
C’mere, boy!
An astute security professional, capable of properly configuring good-quality wireless
access points (WAPs), should have no problem making an 802.11 network relatively
secure. Unfortunately, very few people have that capability, and that’s why wireless provides a tempting attack surface (Figure 7-1).
It is impossible to understand how to attack 802.11 or how to secure it without a
solid understanding of 802.11. For that reason, this module explores two threads. We’ll
start with an overview of 802.11 security protocols (and some non-802.11 protocols
that 802.11 uses). We’ll then tour 802.11 authentication methods, including advanced
authentications that only the most secure wireless networks implement.
NOTE I assume you know the essentials about 802.11 networks from
studying CompTIA A+ or Network+ (or equivalent wireless network training)
before tackling CompTIA Security+. If that’s not the case, check out one of
my All-in-One or Passport books on the subject.
Wireless Cryptographic Protocols
When wireless networking was first adopted in the consumer and business markets, no
secure wireless protocols were available to prevent eavesdropping and traffic interception.
As people became more security conscious, they realized that they needed encryption and
authentication protection on wireless networks, as they had on wired networks. Even
though the wireless medium is different, security was still a necessity. This resulted in
the development of several cryptographic protocols—protocols meant to ensure security
via encryption and cryptography, with varying degrees of effectiveness, which have been
implemented in wireless networks over the years.
As technologies have improved, these wireless cryptographic protocols have improved
as well, including newer and more secure methods of authenticating devices and encrypting traffic. In the next few sections, we’ll discuss the different wireless security protocols,
their advantages and disadvantages, and how you should implement them in your wireless network.
07-ch07.indd 372
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-1: Networking with 802.11
373
Figure 7-2 WEP is still out there (source: https://wigle.net/stats).
The Legacy of WEP
Wired Equivalent Privacy (WEP), the first security iteration of 802.11, used a shared
password encryption scheme that within a few years was discovered to be mathematically
crackable. The primary reason for this weakness came from poor key usage with the RC4
encryption. Today’s WEP cracking tools will extract a WEP key in just a few minutes.
NOTE To be fair to the original Wi-Fi developers, they didn’t intend WEP
as an encryption protocol. WEP was intended to provide wireless users
the same level of security they could expect from a wired network
(hence the name).
You’d think that, knowing WEP is so easily cracked for so long, no one would use
WEP, correct? Wrong. According to Wigle.net, the popular 802.11 database, around 5
percent of all 802.11 networks use WEP encryption as I type this, although the number
is slowly dropping (Figure 7-2).
RC4
Rivest Cipher version 4 (RC4) was built into WEP as its encryption protocol and was
very efficient because, as a streaming protocol, it rapidly encrypts 1 bit (rather than entire
blocks) of plaintext at a time. It uses a wide range of key sizes, from 40-bit to 2048-bit keys.
RC4 alone is not necessarily a weak protocol and is found in other secure protocol
implementations beyond WEP. WEP poorly implemented the RC4 protocol, however,
adding to the already numerous security flaws found in its design. For this reason, as well
as the issues involved with small initialization vectors (IVs), small key size, and static key
repetition, never use WEP in modern wireless networks.
07-ch07.indd 373
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
374
WPA
When the wireless industry (specifically, the Wi-Fi Alliance) recognized the inherent
security flaws in WEP, they realized they needed to do something very quickly to stem
the growing problem of unsecured wireless networks using WEP. Simultaneously, the
Institute of Electrical and Electronics Engineers (IEEE) began developing a new security
protocol standard for wireless networks, known as 802.11i, but the standard was delayed
for various reasons. The Wi-Fi Alliance implemented what was really a stopgap measure
in the interim to replace WEP. The result was Wi-Fi Protected Access (WPA), introduced
in 2003.
WPA has several advantages over WEP, including the use of dynamic keys and larger
key sizes. WPA, also unlike WEP, requires either no authentication (what some manufacturers call open mode), authentication to a RADIUS server (Enterprise Mode –
WPA-ENT), or the use of a pre-shared key (PSK). Originally conceived for personal or
small business infrastructure networks, the PSK setup is called WPA-Personal (sometimes
referred to as WPA-PSK) and can be used to authenticate wireless client devices and
wireless access points mutually. WPA-Enterprise, robust but complex and hard to use,
was developed for larger infrastructures and requires the use of the 802.1X authentication protocol, which we will cover a bit later in the module. Figure 7-3 shows the various
protocol options found on wireless routers.
WPA uses the Temporal Key Integrity Protocol (TKIP) for generating encryption keys.
TKIP makes it possible to use dynamic keys, which are generated on a per-packet basis.
This means the keys are not repeated for different transmissions, but require a different
encryption key on each individual packet. TKIP, combined with an improved implementation of the same RC4 stream cipher that WEP uses, provides WPA encryption. TKIP
enables backward-compatibility with legacy WEP, uses 128-bit keys, and uses a 48-bit
initialization vector.
Figure 7-3 Wireless protocol choices on a wireless network
07-ch07.indd 374
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-1: Networking with 802.11
375
The 802.11i task group came up with a very clever patch for WEP in WPA with TKIP,
but it was a patch built on the bones of WEP. Within a very short while, researchers
showed ways to exploit the underlying WEP structures. WPA remained very difficult to
crack for many years, but the full 802.11i standard needed to be implemented.
WPA2
Wi-Fi Protected Access 2 (WPA2) is the name of the first official implementation of
the 802.11i wireless security protocol standard developed by the IEEE. It offers several improvements over the original WPA, such as replacing TKIP with AES, a 128-bit
symmetric block cipher that’s much more robust but is backward-compatible due to its
inclusion of TKIP in its protocol suite. Like WPA, WPA2 also has two different implementations: WPA2-Personal (using a pre-shared key) and WPA2-Enterprise, which work
the same way as they do in WPA.
A WPA/WPA2 passphrase can be from 8 to 63 case-sensitive ASCII characters, or
64 hexadecimal characters. Now, this passphrase is not the actual WPA/WPA2 key; the
passphrase is used to generate the 256-bit pre-shared key that must be entered into all
wireless devices on the same wireless network. Note that this is different from the way
WEP implements its passwords; the WPA/WPA2 passphrase is not the key itself.
EXAM TIP
Remember that WPA uses TKIP; WPA2 uses AES.
AES
The Advanced Encryption Standard (AES)—which you read about back in Module 2-3—
is used by a wide variety of encryption applications. It was adopted as the official encryption standard for the United States by the National Institute of Standards and Technology
(NIST), after an open competition with several different competing algorithms. AES
uses the Rijndael encryption algorithm and is considered much stronger than previous
symmetric algorithms used in wireless networking, such as RC4.
AES is the encryption algorithm used in WPA2 and uses a particular process, or mode,
within WPA2 to encrypt traffic. This mode is called the Counter Mode Cipher Block
Chaining Message Authentication Code Protocol, which CompTIA shortens to Countermode/CBC-MAC Protocol (CCMP). CCMP uses a 128-bit key and 128-bit block size
(since it is a block symmetric cipher, as opposed to the streaming RC4 symmetric cipher
used in WEP and WPA), as well as 48-bit initialization vectors. The larger IV sizes help
prevent replay attacks from being conducted against WPA2 (see “Replay Attacks,” later
in the chapter).
NOTE Wireless devices often have an encryption setting that lets you
choose between AES, TKIP, and mixed mode. In mixed mode, both AES and
TKIP are supported. It is not recommended.
07-ch07.indd 375
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
376
WPA3
WPA2 has served the 802.11 industry since 2004, more than a lifetime in the IT industry.
In this time frame WPA2 has started to show some weaknesses that enable skilled bad
actors to break into wireless networks. One of the biggest weaknesses of WPA2 is the
pre-shared key. Anyone in possession of the single PSK can give it to others and they
can use it to access the network. Worse, there are a number of attacks—in particular
the infamous KRACK on-path (MITM) attack—that work on any WPA2 network. By
the middle aughts, it was clearly time to improve on WPA2 with the next generation of
802.11 security. The Wi-Fi Alliance released the replacement for WPA2, called Wi-Fi
Protected Access 3 (WPA3), in 2018.
WPA3 brings many improvements over WPA2. Most notably, Simultaneous Authentication of Equals (SAE) replaces PSK—at least for encryption. If you set up an “open”
SSID with a WPA3-capable WAP, SAE automatically forces every WPA3-capable device
connecting to that WAP to use a Diffie-Hellman–style authentication/encryption process. In other words, the day of the unencrypted wireless connection no longer exists
in WPA3.
EXAM TIP Look for a comparative question on the CompTIA Security+
exam that explores pre-shared key (PSK) vs. enterprise vs. open. This applies
primarily to WPA2, not WPA3, but PSK means using personal mode, enterprise
means connecting to a RADIUS server, and open means having no security at
all (i.e., open season on your network).
WPS
You can fairly easily join to a wireless network any system that has a screen and input
method (keyboard, mouse, or touch screen). Joining a system, such as a printer, that
lacks a screen and input device is much harder. In many cases they require separate setup
programs or painfully complex configurations through tiny text screens and pressing up
and down buttons through entire alphanumeric strings to type in passwords.
Recognizing the popularity of wireless devices in non-enterprise networks, the Wi-Fi
Alliance introduced Wi-Fi Protected Setup (WPS) in 2006. The goal of WPS is to enable
anyone to join a WPS-capable device to a WPS-enabled wireless network just by pressing
two buttons. Press the button on the WAP (Figure 7-4), then press the button on the
device you want to join to the network; your device connects to the SSID and takes on
the WAP’s WPA2 encryption. Neat!
Alternatively, every WPS-enabled WAP comes with a fixed eight-digit PIN code to
allow devices without a WPS button (like a laptop) to connect to the WAP. You press the
button on the router and then enter the router’s PIN code as the SSID’s password. Unfortunately, the eight-digit code has two problems. First, only seven of the eight digits are
used (the eighth digit is only a checksum). Additionally, the seven digits are confirmed
in two groups: the first three values, then the last four. This means it only takes about
11,000 guesses to crack a WPA PIN code. Yipe!
07-ch07.indd 376
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-1: Networking with 802.11
377
Figure 7-4
Typical WPS
button on home
router
WPS button
So What Do We Use?
If you install an 802.11 network, the Wi-Fi Alliance states that you must use either
WPA2-ENT or WPA2-PSK with a robust password. On all my PSK networks I make a
point to use a 15- to 20-character password. Here’s one of my favorites (please don’t hack
me): ioncelivedinsedalia.
Wireless Authentication Protocols
We’ve spent some time discussing wireless encryption, as well as wireless authentication,
between a simple wireless client and its access point. Most of the discussion has been very
general and could apply to small home wireless networks, small business networks, and
even, to a degree, large enterprise-level wireless networks. Now let’s take a moment to
talk about the enterprise side of wireless networking, which usually involves more complex authentication methods and may involve using a wireless network to connect into
a larger corporate wired network. We’ll talk about different authentication methods and
protocols that are primarily used in enterprise infrastructures, particularly when using
the more advanced features of WPA and WPA2.
EXAM TIP Authentication protocols, as the name suggests, authenticate
users to a network. Cryptographic protocols provide security mechanisms,
such as encryption. Secure networks, wireless as well as wired, require use of
both types of protocols.
802.1X
802.1X is an IEEE standard, just like the 802.3 Ethernet standards and 802.11 wireless networking standards. The great thing is that, while 802.1X is probably encountered most often on corporate wireless networks as the preferred form of authentication
and access management control, it is not a wireless standard at all and can be used in
wired networks as well. This actually makes it easier for wireless and wired networks to
07-ch07.indd 377
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
378
interoperate, since they can use the same authentication methods and can connect to
each other quite easily. 802.1X is called a port-based access control method and can use a
wide variety of different security protocols. In that respect, it’s more of a security authentication framework than a protocol itself, since it allows various protocols to be used for
authentication.
802.1X uses some interesting terms you may need to be familiar with for the exam.
First, a wireless client device is known as a supplicant in an 802.1X environment. A wireless access point that uses 802.1X authentication methods is called the authenticator,
and the source providing the authentication services to the wireless network is called the
authentication server. 802.1X is interoperable with a number of remote access services
and protocols, such as RADIUS and TACACS+, as well as centralized authentication
databases such as Active Directory. This enables wireless clients to authenticate to traditional infrastructures using these different types of services.
802.1X can use several different types of authentication protocols, such as EAP,
EAP-TLS, EAP-TTLS, PEAP, LEAP, and EAP-FAST. Let’s check out this string of
acronyms now.
EAP
Like the 802.1X authentication protocol, the Extensible Authentication Protocol (EAP)
isn’t so much a protocol as a security framework that provides for varied authentication
methods. Many different protocols fit into the EAP framework, and that’s really why it
was devised in the first place. EAP recognizes that there are several different authentication methods, including certificate-based authentication and other multifactor authentication methods, such as smart cards and so on. EAP can still allow the traditional user name/
password combination of authentication as well. EAP also allows for mutual authentication between devices as well as directory-based authentication services.
There are several different variations of EAP, some older, and some more suitable for
use than others. These include EAP-TLS, EAP-TTLS, PEAP, and EAP-FAST (plus others you won’t see on the exam). Let’s cover the EAP versions mentioned in the CompTIA
Security+ exam objective.
EAP-TLS
EAP Transport Layer Security (EAP-TLS) was for years the primary EAP variation used
on high-security wireless networks. As the name implies, EAP-TLS uses the same TLS
protocol used on secure Web pages. EAP-TLS requires both a server-side certificate and
a client-side certificate (client-side certificates are rarely used on Web pages, but the TLS
protocol certainly supports their use).
Client-side certificates are an administrative headache because every laptop, smartphone, tablet, or printer on the network must have a unique certificate. Losing a device
requires disassociating the missing device’s certificate to ensure security. If you want the
ultimate in 802.11 authentication security, however, EAP-TLS is the way to go.
EAP-TTLS
EAP Tunneled Transport Layer Security (EAP-TTLS) may share a similar-sounding acronym to EAP-TLS, but it is a completely different EAP variation (Figure 7-5). EAP-TTLS
07-ch07.indd 378
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-1: Networking with 802.11
379
Figure 7-5
Configuring
802.1X on
a Windows
wireless client
goes beyond the TLS protocol, adding a tunnel to provide better security. EAP-TTLS
only requires a server-side certificate. EAP-TTLS is considered to be functionally equivalent to PEAP (see next).
PEAP
Protected Extensible Authentication Protocol (PEAP), another version that uses TLS,
addressed problems with EAP and was developed as an open protocol by several vendors,
such as Microsoft, RSA, and Cisco. PEAP is similar to EAP-TLS and requires a digital
certificate on the server side of a connection to create a secure TLS tunnel. There are different versions of PEAP, depending upon the implementation and operating system, but
all typically use digital certificates or smart cards for authentication.
LEAP and EAP-FAST
Lightweight Extensible Authentication Protocol (LEAP) is a proprietary protocol developed
by Cisco and was used in their wireless LAN devices for authentication. LEAP uses
dynamic WEP keys and provides for mutual authentication between wireless clients and
a centralized RADIUS server. LEAP requires wireless clients to reauthenticate periodically, and when they do, they must use a new WEP key.
Cisco has replaced LEAP with EAP-FAST (for Flexible Authentication via Secure Tunneling), which addresses LEAP’s security issues. EAP-FAST is lightweight but uses TLS
tunnels to add security during authentication.
07-ch07.indd 379
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
380
EXAM TIP The CompTIA Security+ objectives refer to a Remote
Authentication Dial-in User Service (RADIUS) Federation authentication
protocol, which mashes two terms you explored back in Chapter 3. A
federated system involves the use of a common authentication system
and credentials database that multiple entities use and share. A RADIUS
federation could connect those systems wirelessly using RADIUS servers.
Module 7-2: Attacking 802.11
This module covers the following CompTIA Security+ objectives:
• 1.3 Given a scenario, analyze potential indicators associated with
application attacks
• 1.4 Given a scenario, analyze potential indicators associated with
network attacks
Attacks on wireless networks have never been more common than they are today, but
why? Given that 802.11 wireless networks have been around for more than 20 years,
you’d think by now we’d be better at securing them. Truth is, we are better, but the bad
guys have gotten better as well. Plus, the wireless footprint keeps expanding. Wireless is
everywhere.
In this module, we’ll discuss various wireless threats and attacks that can be carried
out against wireless networks and unsecure wireless protocols (such as the surprisingly
still relevant WEPCrack). This module will discuss the attacks at length, so that by the
next module, you’ll be ready to learn the various ways you can harden wireless access
points and networks against these types of attacks. We’ll also glance at the other wireless
standard, Bluetooth, at the tail end to examine attacks along that vector.
If you want to do some attacking (of the ethical variety, of course!), the first thing
you’ll need are some tools. There are many tools out there to attack 802.11, but in general you’ll need three separate items:
• A good survey/stumbler tool to locate wireless networks and obtain
detailed information
• Some kind of tool to start grabbing wireless packets
• Some type of attack tool that analyzes the data you’ve collected and grabs
the passwords, keys, credentials, or whatever you want to grab
With those concepts in mind, let’s turn to the specific toys in the attacker’s toolbox.
You’ll see these on the CompTIA Security+ exam and, hopefully, use them for good in
the real world.
Wireless Survey/Stumbler
To attack a wireless network, you first need to find one to attack. To do this, you use
wireless survey/stumbler utilities. There are many such tools. Even the wireless client
07-ch07.indd 380
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-2: Attacking 802.11
381
Figure 7-6
Wi-Fi analyzer on
Android
built into your operating system easily locates the wireless networks and will tell you the
channel and encryption type. That’s OK for users, but if you want to attack, you need
a more serious survey tool. You need a survey tool like a Wi-Fi analyzer that not only
sees the wireless network but also grabs critical information such as GPS location, WAP
MAC address, detailed encryption type, WPS enabled, and so on. Figure 7-6 shows an
Android Wi-Fi analyzer I use.
Packet Capture
Once you’ve found a target, you then need to start grabbing packets. To do this, you’ll
need some form of packet-capture tool that grabs wireless packets and gives you some
control as to what packets you want to grab. Again, you have choices, but Airodumpng—one of the many powerful tools that are part of the Aircrack-ng wireless suite, is very
common and well supported (Figure 7-7).
Attack Tools
The entire goal of attacking wireless networks is to gather information. Every attack
requires some type of utility that helps you do whatever you want to do. Do you want to
crack WPS? There’s a tool for that. Want to crack WEP? There’s a tool for that. Want to
intercept credentials? There’s yet another tool for that.
07-ch07.indd 381
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
382
Figure 7-7 Selecting a specific WAP with Airodump-ng
The problem with any attack tool is that none of these tools are intuitive; you can’t just
throw your average script kiddie in front of one of these tools and expect results. The tools
are not necessarily difficult to use, but they aren’t so simple that you can plug and chug.
With that understanding in mind, there are some pretty great tools out there for wireless attacks. As a starting point, check out the previously mentioned Aircrack-ng, a suite
of tools that handles several popular attacks, concentrating on WEP and WPA cracking.
CAUTION Please, please, please note that using hacking and cracking tools
can land you in jail. That’s not a joke. You can attack your personal systems
all you want, of course. That’s how to gain skills. But you need a signed
agreement before you turn your newly minted mad hacking skills against
an organization. Without that agreement, you risk committing a felony, and
that, as we say in the business, is a bad thing.
Rogue Access Point
A rogue access point can indicate a potential wireless network attack, because it features an
unauthorized WAP within a secure network that attracts people to connect to it. A rogue
AP can be benign, for example, where a network user sets up a WAP to provide better
signal strength in his or her area. As an attack, though, a malicious person deliberately
places a rogue AP with the intent to monitor all of the connected victims’ network traffic.
In both cases, the rogue AP enables connectivity to the legitimate network. The malicious kind seeks information.
07-ch07.indd 382
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-2: Attacking 802.11
383
Hackers use several techniques to set up rogue APs. In a basic attack, the attacker uses
an AP configured for very weak or nonexistent authentication. This makes the victim
think that it’s an open or free Internet AP.
NOTE Different parts of the wireless industry use either AP or WAP to
describe a wireless access point. You’ll see this throughout industry
literature and hear it in discussions. The CompTIA Security+ 601 objectives
refer to WAPs in one section and rogue access point in another, for example,
where the “wireless” part is implied. The same applies to AP—the acronym
implies wireless.
Often a rogue AP will broadcast a very strong signal so that users think it’s the best free
Internet access point compared to several others. Rogue APs work very well where there
are several APs already transmitting, such as areas within range of businesses or establishments that offer free wireless access to their customers.
In another variation of this attack—called an evil twin attack—a hacker sets up a
rogue AP that broadcasts the same (or very similar) Service Set Identifier (SSID), which
appears as the wireless network’s name to ordinary users. Often, however, the evil twin
does not use the same security level as the legitimate AP, making it easier to connect to
the evil twin. Unsuspecting users connect to this AP, thinking that it’s one to which they
normally should connect. Once connected to the evil twin’s network, the attacker can
intercept the user’s network traffic through the evil twin, including user names, passwords, and any other traffic passed over the AP.
The evil twin attacker can gain user credentials that may also be used on other wireless
networks, allowing the attacker to connect to the legitimate APs and begin an attack on
those networks. The hacker may even further connect this rogue AP to the Internet, so
the user never suspects that she is connected to the rogue AP.
Figure 7-8 shows an example of how an evil twin wireless network also appears with a
legitimate one. Notice that the two are named similarly but are not configured the same
in terms of required security.
Jamming
Occasionally, a wireless network can experience interference from another wireless device,
which can occur, for example, when two wireless access points use adjacent frequencies
or channels. Interference can interrupt and interfere with wireless network transmission
and reception. For the most part, this interference is unintentional. Jamming is a form
of intentional interference on wireless networks, designed as a denial-of-service (DoS)
attack. This type of attack overpowers the signals of a legitimate wireless access point,
typically using a rogue AP with its transmit power set to very high levels. Attackers
can use other electronic devices as well to create interference, or jamming, in wireless
networks, including specialized devices easily acquired from the Internet or put together
by hobbyists.
Jammers are also commonly used to help evil twin attacks. By jamming a legitimate
WAP’s channel, all clients will automatically try to go to the evil twin (Figure 7-9). Even
07-ch07.indd 383
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
384
Figure 7-8
An evil twin
rogue wireless
access point is
named similarly
to a legitimate
network AP.
if your legitimate WAP tries to switch to another channel, a good jammer tracks the
channel changes and continues to jam.
The only way to prevent jamming and interference is to look proactively for sources
of wireless signals that are not coming from the corporate wireless network. The sources
are usually in the same frequency range and may come from malicious wireless clients or
rogue wireless access points.
NOTE Legally owning a jammer requires appropriate permission and
licensing. In many countries even owning a jammer is illegal.
Figure 7-9
Jammer working
with an evil twin
Jam channel 6 with
Wi-Fi jammer
Legit WAP on channel 6
SSID: Thunderbird
07-ch07.indd 384
Evil Twin WAP on channel 1
SSID: Thunderbird
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-2: Attacking 802.11
385
Figure 7-10 Packet sniffing a wireless network
Packet Sniffing
Just as with wired networks, attackers can sniff wireless networks for unencrypted data to
capture and analyze, although the techniques and tools required differ. Usually, an attacker
has to have a special wireless network card that can intercept packets and inject traffic on to
the network. The attacker usually also must have a special driver for the network card, if he is
using the Windows operating system, or he must put a network card into what’s called monitor or promiscuous mode in Linux. Once the attacker has his equipment set up, it’s simply a
matter of using the sniffing software of choice, such as Wireshark, for example. Figure 7-10
shows a Wireshark capture of a packet sniffing session conducted on a wireless network.
NOTE
All wireless sniffer tools require a special wireless NIC driver.
Deauthentication Attack
Encrypted wireless communication, as you might suspect, does not enable an attacker to
run simple tools to capture data and glean important or sensitive information. That’s the
point of encryption, right? An attacker can grab beacon frames and management traffic
and a bunch of encrypted traffic he can’t read.
The 802.11 frames that make the initial connection between a WAP and a wireless
client offer a unique attack vector. These standard management frames enable a client to
connect, then establish credentials and so forth so that encrypted communication can
happen happily.
07-ch07.indd 385
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
386
Figure 7-11 Conducting a deauthentication attack against a wireless client and its AP
In a deauthentication attack, a malicious actor sends a deauthentication frame to the
WAP with a spoofed MAC address—picked up by simple sniffers in the clear from traffic between the WAP and the intended target client. The WAP dutifully disconnects the
client (or station, as the Wi-Fi folks like to say). The client will then automatically try to
reconnect—associate—with the WAP. What happens after this DoS attack (“I deny you
access to the WAP!”) depends on the bad guy’s intent.
The client could unsuspectingly connect with an evil twin WAP and the bad guy
could use various attacks—man-in-the-middle attack, brute-force attack, and so on—to
get the client’s password. Once the attacker has the password in hand, it’s game over for
the client. The bad guy could just be a jerk, doing a DoS for some sick laughs. Regardless
of the subsequent actions, the deauthorization attack starts the process.
Figure 7-11 shows an example of a deauthentication attack, conducted using the
aireplay-ng command in the Aircrack-ng tool suite. This tool is popularly found on
Linux-based systems, particularly security distributions.
EXAM TIP You’ll hear the term disassociation attack as a form of
deauthentication attack.
Near-Field Communication
Near-field communication (NFC) enables devices to send very low-power radio signals
to each other by using a special chip implanted in the device. NFC requires that the
devices be extremely close—like within four inches—to each other. NFC can be used
for a wide variety of consumer and business applications, including quick payments with
NFC-enabled smartphones and cash registers, parking meters, and other really cool and
convenient transactions. NFC uses radio-frequency identification (RFID) technologies
and, unfortunately, is vulnerable to several types of attacks. These attacks include eavesdropping by another NFC device, man-in-the-middle attacks, and relay attacks (relaying modified information back and forth from the victim’s device, pretending to be the
victim). Many WPS-enabled devices (see “WPS Attacks” later in this module) also use
NFC, making wireless hacking of WPS-enabled networks easy.
07-ch07.indd 386
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-2: Attacking 802.11
387
Here are my
credentials.
Got them!
I got them
too!
Figure 7-12 A replay attack starts with a man-in-the-middle.
Replay Attacks
In a replay attack, data, particularly credentials such as user names and passwords, is intercepted and replayed back on the network to an unsuspecting host. The goal of the replay
attack is to retransmit those credentials back to a host, effectively allowing the attacker
to impersonate the victim. Credentials or other data passed in clear text is most vulnerable to replay attack, although certain versions of weak encryption algorithms can also be
vulnerable to these types of attacks. Even if the attacker can’t read the victim’s credentials
due to encryption, weak authentication methods may allow retransmitted credentials to
be used to authenticate to a host. Note that this type of attack isn’t unique to wireless
networks; wired networks also suffer from replay attacks (Figure 7-12).
Strong encryption methods help defend against this type of attack. Another defense
against this attack is through the use of timestamping, which limits the use of the credentials to a very narrow time period. The use of the Kerberos authentication protocol in
Windows Active Directory networks, which makes heavy use of time stamps, counters
replay attacks. Still another way of defending against this type of attack is for the originating host to digitally sign the traffic it sends. This assures the receiving host that the
credentials or other data it receives is authentic.
EXAM TIP The CompTIA Security+ objectives categorize a replay attack
as a type of application attack. Others that fall into this category are DLL
injections and privilege escalation attacks that you saw back in Chapter 5.
You’ll see many more in Chapter 11.
WEP/WPA Attacks
Like any streaming encryption, RC4 needs initialization vectors (IVs) to seed its encryption methods for protecting wireless traffic. Unfortunately, the IVs in WEP are considered weak, in that they are only 24 bits in length. This short length guarantees that
WEP must repeat the IVs frequently, meaning that after sniffing a few million packets,
an attacker can crack the WEP key mathematically (an IV attack). Today a number of
off-the-shelf tools (such as the freeware Aircrack-ng) make cracking any WEP-encrypted
SSID easy.
07-ch07.indd 387
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
388
WPA has its weaknesses. It uses RC4 encryption, and cracking methods were developed to crack WPA—although it is much harder to crack WPA than WEP.
Although both WPA and WPA2 are very strong wireless security protocols, if your
SSID uses a pre-shared key with a weak passphrase, they are both easily cracked, since
the four-way handshakes they use to negotiate a connection between devices contain
the WPA/WPA2 encryption key. This four-way handshake can be intercepted after a
deauthentication attack forces a wireless client and AP to reestablish their connection
and reauthenticate with each other. Once intercepted, a weak key can be cracked using
standard dictionary or brute-force attacks, again using tools such as Aircrack-ng.
WPS Attacks
A WPS-enabled wireless router can connect to another WPS device (wireless printers
are the most common) through a number of different methods. These methods all use a
WPS personal identification number (PIN), which is enabled simply by pushing a button on the wireless router and the device. This PIN is used as the network’s secure WPA
key. This WPS PIN is susceptible to brute-force attacks.
EXAM TIP The CompTIA Security+ exam might query you about an attack
used in older Microsoft networks. A pass the hash attack takes advantage of
weak points in the NT LAN Manager (NTLM) and LANMAN protocols. If the
attacker has the hash of a user’s password, the attacker can skip any kind
of brute-force attack and use the hashed password to access the network.
Modern Windows systems mitigate against this sort of attack, though the
best defense is to not allow network administrators to log in to suspect
systems and thus expose their passwords.
Wireless Peripherals
Wireless peripherals such as wireless keyboards and wireless mice are common and convenient, freeing us from messy cables and allowing more freedom of configuration. The
problem with wireless peripherals is that they typically use Bluetooth as the wireless
connection. Although Bluetooth is a mature and secure technology, an improperly configured Bluetooth peripheral is easy to hack. Let’s take a moment and talk about the two
old but still valid Bluetooth attacks, bluejacking and bluesnarfing.
NOTE Bluetooth is not Wi-Fi, but a different wireless standard that you’ll
recall from CompTIA A+ or CompTIA Network+ studies.
Bluejacking
Although becoming rarer these days, Bluetooth attacks happen. In the early days of Bluetooth, protocols did not have adequate security measures built in, and devices by default
allowed themselves to connect with any Bluetooth device that requested it. This enabled
07-ch07.indd 388
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-3: Securing 802.11
389
attackers to connect their Bluetooth device surreptitiously with an unsuspecting person’s
device and steal information from it, such as contacts and other personal information.
These attacks are becoming rare because the Bluetooth protocol has evolved over time,
and now more security measures are built into the protocol by default. Additionally,
most Bluetooth devices have to undergo a type of authentication with each other, called
pairing, which makes intercepting traffic between them more difficult. Another factor
contributing to the rarity of these types of attacks is that Bluetooth has a very limited
range: an attacker would have to be within around 35 feet of the victim to conduct the
attack successfully.
Legacy devices still in use, however, as well as new devices improperly configured for
security, are susceptible to Bluetooth attacks. One of the classic attacks on Bluetooth is
called bluejacking. Bluejacking involves sending data to a target device, such as a smartphone, usually in the form of unsolicited text messages. Although mostly harmless, bluejacking can be annoying at best and constitutes harassment at worst. Bluejacking does
not involve removing data from the device.
Bluesnarfing
Bluesnarfing is yet another classic Bluetooth attack, in which the attacker steals data from
the target device by connecting to an unsuspecting user’s device. Bluesnarfing can be used
to get contacts, e-mails, text messages, pictures, videos, and other sensitive data. Once
again, this type of attack is very rare these days, since most vendors have fixed vulnerabilities in their device operating systems and because of upgrades to the protocol itself.
You can stop both bluejacking and bluesnarfing attacks easily by making sure you don’t
leave your device in discoverable mode to prevent anyone from pairing to your device.
Module 7-3: Securing 802.11
This module covers the following CompTIA Security+ objective:
• 3.4 Given a scenario, install and configure wireless security settings
Despite what you might think after reading the many scary stories from the previous
module, it’s not difficult to create a robust and secure 802.11 wireless network. This
module discusses a number of installation considerations, security features, and administration tools to make a Wi-Fi network as secure as possible.
Installation Considerations
Network design that incorporates wireless connectivity offers choices these days in the type
of access points to use, site surveys, and WAP placement. Let’s start with installing WAPs.
Fat vs. Thin Access Points
An organization’s choice of which technology to employ to provide wireless connectivity
depends on several factors, including the location and complexity of its primary office
network and the design philosophy and needs of individual enterprise offices. You’ll hear
07-ch07.indd 389
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
390
the terms fat and thin access points to describe various APs, and we’ll look at those in
detail next. Terms aside, the choice boils down to where you want to manage the security
on the network.
A fat AP has all the bells and whistles, including a management console where you
can configure typical security controls, such as access control lists (ACLs), allow and
block lists, encryption, and so on. A fat or thick AP is also called a controller-based AP.
You manage each fat AP individually or, in the case of some vendors, manage all APs by
sending them instructions from a global console to enact locally. A thin AP typically just
acts as a repeater, taking the wireless signal and pushing it to a managed access control
(AC) switch that handles encryption and other security. A thin AP is referred to as a
standalone AP.
Here’s an example of how design philosophy, location, and complexity dictate which
technology to employ. A standalone satellite office in Brazil might need a fat AP to handle the wireless needs of its ten users and provide connectivity back to the home office. A
building with multiple floors and hundreds of users might rely on one awesome switch
(plus a redundant backup) to control dozens of thin access points.
Site Surveys
In a site survey, a network tech makes a technical assessment of the area in which a wireless network will be installed and operating. Usually, the tech performs a site survey
before installing the wireless network, although sometimes it might be performed periodically when looking at network performance or before expanding the wireless network
to accommodate new access points or additional capacity.
Site surveys help technical personnel understand the different issues that may be
present in an area where the wireless network will be operational. These issues may affect
considerations such as area coverage, network growth, access point and antenna placement,
required power levels, and even network capacity (level of usage of the wireless network).
NOTE Security professionals in the field of penetration testing love fake site
surveys. People simply ignore folks walking around with a clipboard and
survey uniforms…. This is social engineering—manipulating people to get
into systems—at its finest. Chapter 12 covers social engineering techniques
in detail.
Some of these issues include proximity to potential interference sources, channel overlaps from other SSIDs in the area, environmental and physical considerations (physical
obstacles that may limit wireless signals, such as buildings, for example), and, of course,
potential security issues (public areas where war driving may happen, for instance).
A Wi-Fi analyzer tool will scan an area for existing wireless networks, providing essential information for assessing an area for potential problems or obstacles when planning
an installation of a Wi-Fi network. Figure 7-13 illustrates some of the data collected
during a survey when using a Wi-Fi analyzer tool, in this case inSSIDer from MetaGeek (www.metageek.com). A quick scan of a local area shows many networks, including
named and hidden; the signal strength relative to the position of the scanning device in
07-ch07.indd 390
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-3: Securing 802.11
391
Figure 7-13 Viewing the Wi-Fi spectrum when performing a site survey
decibels (lower number is stronger); number of radios, the security level, such as WPA,
WEP, WPA2, open; and mode, such as 802.11b/g for the open network and 802.11a/b/
g/n/ac/ax for one of the locked down networks. Additionally, the screenshot shows the
Madrid network selected so you can see the channels in use graphically in the lower third
of the screen—3 and 11 in the 2.4 GHz band; 34, 46, and 50 in the 5 GHz band.
EXAM TIP Wi-Fi networks use radio-frequency spectrums or bands split into
channels, which you might recall from your CompTIA Network+ studies. The
2.4 GHz band has a fairly small number of channels, several of which overlap.
Excessive traffic on overlapping channels—even with separate SSIDs—
can cause problems. This is sometimes referred to as adjacent-channel
interference, which the CompTIA Security+ objectives shorten to channel
overlaps.
When conducting a site survey, a technician measures potential coverage distances,
identifies obstacles that may block wireless signals, and performs various tests to determine optimal placement of antennas and access points. The technician will usually map
out the area and identify potential sources of interference, such as power cabling, cell
towers, or other radio-frequency interference (RFI)–producing sources. Technicians also
should plan for capacity, meaning that they need to know how many users will connect
to the wireless network at any given time and what types of data or applications they will
use over the wireless network.
07-ch07.indd 391
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
392
Figure 7-14 AirMagnet Survey Pro
There are plenty of tools to support a wireless survey, like AirMagnet Survey Pro
(Figure 7-14). All good survey utilities share some common ways to report their findings.
One of the most powerful reports that they generate is called a heat map. A heat map is
nothing more than a graphical representation of the radio-frequency (RF) sources on a
site, using different colors to represent the intensity of the signal. Figure 7-15 shows a
sample heat map. Some companies take heat map tech to the minute, showing the precise
location of User Joe in the building based on his network traffic. This can be a great tool.
Although this might not seem like a security consideration, remember that availability
of data is directly tied to security (remember the CIA triad: confidentiality, accountability, integrity). After completing the site survey, the technician usually provides recommendations to managers and the team that will install or expand the wireless network, so
they can configure it optimally for both performance and security.
WAP Placement
Wireless access point (WAP) placement matters not only in making sure that people can
get a strong enough signal to access the wireless network, but also for security reasons.
A WAP with a standard omnidirectional antenna located too close to an outer wall of
a facility makes the wireless signal easier to pick up outside the facility, which makes
07-ch07.indd 392
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-3: Securing 802.11
393
Microwave
e
Reinforced
Rein
nfo
f rced Wall
Wall
Refrigerator
Microwave
Figure 7-15 Site survey with heat map
it easier for bad actors to pick up the wireless signal and attempt to hack the network.
Ideally, both for performance and security reasons, centralize WAP placement within a
facility; in other words, place WAPs with omnidirectional antennas centrally throughout
different areas of the facility so that they can adequately span all areas of coverage within
a facility, without being too close to exterior walls or the roof whenever possible.
Place a WAP with a directional antenna, in contrast, so that the signal points to the
area of desired coverage. Placing such a WAP on the inside of an outer wall, pointed into
the interior, can provide excellent coverage with little chance of signal spillage.
Wireless Configuration
A good layout of enterprise-level WAPs, properly placed and using the right antennas, is
a great start for any wireless network. Now it’s time to take advantage of the many 802.11
features to protect your network.
Controller and Access Point Security
No wireless network has any hope of security without serious consideration of controller
and access point security. Start with the basics in a SOHO network and replace default
passwords for any wireless access point to something much more secure. Also, if possible,
change any factory-configured SSID passwords. (See Figure 7-16.) Don’t use the same
password on every WAP. Finally, be sure to restrict physical access to the WAP.
07-ch07.indd 393
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
394
Figure 7-16
Factory
passwords are
well known.
MIKEOSOFT WAP MODEL 234567
Part Number: 23593837499
S/N: 2223-1234544-0
SSID: MIKEOSOFT1
WPA2 PWD: Everyoneknowsthis
You’d be shocked how often admins
use the default password or the
factory configured password!
Once you get beyond a SOHO network, as you’ll recall from your CompTIA Network+ studies, access point management becomes more centralized. A typical mediumsized organization, for example, might deploy a dozen managed access points across their
offices that require a controller to handle setup, configuration, and security. You secure
access to the controller software the same way you secure access to any critical application, through proper account management, as in making sure only the appropriate user
accounts can access the controller software. When you scale up further—think campus
area network (CAN) here with 100+ APs—many organizations use dedicated hardware
AP controllers to configure access point security. Secure access to the AP controllers just
as you would any mission-critical network appliance, through limiting physical access as
well as proper account management.
SSID Broadcasting
The SSID is the wireless network name. This name is usually broadcast out to let wireless
clients know that it exists. Nontechnical users rely on SSID broadcasting to locate and
connect to networks. The SSID has absolutely nothing to do with security.
Early in the wireless revolution, standard security practices held that to secure a wireless network, you should keep the SSID from broadcasting; this was a practice called
SSID hiding or cloaking. This practice prevented casual wireless snooping and was meant
to keep unauthorized people from connecting to a wireless network. The theory was that
if they couldn’t see the network name, they couldn’t connect to it.
These days, most wireless network clients can pick up all the nearby wireless networks,
even if they have cloaked SSIDs, as you can see in the Wi-Fi analyzer scan in Figure 7-13,
above. And you can easily install software on a wireless client that can tell you what the
wireless SSID is, simply because wireless clients can also broadcast SSID information
out. Even if people can’t see the network name, they will see that an unknown wireless
network does exist. Then a determined hacker can connect to it.
In addition to cloaking SSIDs, some security administrators also recommend renaming the SSIDs from the default wireless access point name that is usually broadcast when
you first install an access point. This may be a good idea to help users connect to the
07-ch07.indd 394
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-3: Securing 802.11
395
correct network, but from a security perspective it isn’t effective and may actually confuse
users, causing them not to be able to connect to a wireless network.
EXAM TIP An SSID has nothing to do with security. It’s just the network name
for a Wi-Fi network.
MAC Filtering
Remember that the MAC address is burned into every single network card manufactured, including wireless network cards, and these addresses are used the same way. The
MAC address is a 12-digit hexadecimal number that identifies the manufacturer of the
card and the individual card itself. Because it can identify the individual network card,
and by extension the client, some administrators filter wireless network access by the
MAC address of the client. Most wireless access points have the ability to do MAC filtering, as you’ll recall from Chapter 6, either allowing or denying a particular MAC address
(and the host that has the MAC address) on the network.
MAC filtering is frequently used as a security measure, since it can deny access to
wireless network cards that are listed in a table on the access point. However, you should
know that it’s quite simple to spoof a MAC address, so, like SSID cloaking, this isn’t an
effective security measure and should not be used by itself to protect a wireless network.
The other part about MAC filtering is that if you use it as a security measure (in
conjunction with other more secure measures, hopefully), you should configure MAC
filtering to allow certain MAC addresses only, rather than attempt to deny certain MAC
addresses. This is simply because you can deny only what you know about; of course, it’s
difficult to deny a MAC address that you don’t know exists. So MAC address filtering
should be used on a default deny basis (deny all), with only a few addresses as exceptions.
Figure 7-17 shows my home WAP’s MAC filtering settings.
Power Level Controls
You may be tempted to think that boosting the power on your wireless access point
gives you better performance and enables your clients to connect to your network with a
stronger signal. You’d be right about that, except for a couple of things. The first thing is
that raising the power levels on your WAP beyond a specified level may be illegal in certain areas. Most WAPs have preset power levels, usually a balance between what’s legally
acceptable in its intended region and performance requirements. It isn’t too difficult
to download nonstandard firmware or software that allows you to change those power
levels, however, sometimes beyond the legal limit allowed in your area. The second thing
is that the higher power levels on your WAPs can adversely affect the security on your
network. This is because the more powerful the signal, the farther out that signal will
transmit. So, in addition to all of your authorized clients being able to see the wireless
network, get a really good signal, and connect to it, unauthorized people (read: hackers
or people looking for free Internet connectivity) will also be able to do the same thing.
In addition to limiting omnidirectional-antenna WAP placement to centralized areas
within your facility, you should reduce antenna power levels on those WAPs to the lowest
07-ch07.indd 395
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
396
Figure 7-17 Configuring MAC filtering
acceptable point at which users can still receive a strong signal from the network. This
prevents the signal from leaving your facility as much as possible. You may even have to
lower the power levels and simply provide more access points throughout the facility to
keep the signals confined to the immediate area as a sort of trade-off. It’s probably not
realistic to think that you’re going to be able to limit stray signals fully, but limiting them
to as short a distance as possible outside your facility can help your security posture, since
any would-be hacker may have to get unacceptably close to your building to hack into
or connect to your network.
Captive Portals
Many organizations set up Wi-Fi networks so clients default to a captive portal when logging in. A captive portal is a Web page that prompts clients to enter proper credentials to
gain further access to the network (Figure 7-18). This enables the organization to control
07-ch07.indd 396
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Module 7-3: Securing 802.11
397
Figure 7-18 Mike’s captive portal
or limit access to clients accessing from an acceptable location and with proper authentication. You’ll see captive portals used in many hotels, for example, as a way to provide
paying guests access to the Internet via Wi-Fi and stopping freeloaders from getting in
and leaching bandwidth.
Captive portals provide a secure method for authenticating a wireless client in a couple
of ways. First, it may be impractical to share a pre-shared key or device certificate with
everyone who is authorized to use the wireless network (think airport customers or hotel
guests, for example), but the wireless network may still require some sort of authentication. A captive portal setup allows a wireless client to connect to the wireless network and
reach only a single Web site, where the users must authenticate to the wireless network
before they can use it any further.
A business may provide wireless access for its external partners or customers rather
than allowing them to use its interior corporate wireless network. The captive portal
would help serve such a function in this case. It enables authentication and can assist in
accounting for wireless network access that has been paid for by a customer. For authorized employees connecting to a corporate network, a captive portal can also serve as a
type of network access control (see Chapter 6 for more details on NAC), since an otherwise authorized wireless device may have to use certain protocols or have certain requirements present to connect to the network (patches, antivirus signatures, and so on).
Security Posture Assessment
Part of a network professional’s job is to use tools to assess the security posture of a network. With wireless networks, that means to run assessment tools to probe the network,
looking for any errors in implementation or any weaknesses.
07-ch07.indd 397
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
398
The cool part for you is that you already know the assessment tools—you used them
to attack wireless networks in Module 7-2! Use Aircrack-ng, Wireshark, and any number
of Wi-Fi analyzers and wireless scanners/crackers to probe wireless networks.
Organizations often hire third parties to assess a network security posture. Many
companies have created in-house groups dedicated to performing and maintaining
posture assessments.
Questions
1. Erin is tasked to design a wireless network for the new wing of her office, which
consists of two large rooms with cubicles. Her budget allows for two high-end
WAPs that support WEP, WPA, WPA2, or WPA3 or four medium-end WAPs
that support WEP, WPA, or WPA2. In such a scenario, which option will provide
the best security?
A. Install the two high-end WAPs enabled for WPA2 to provide the best
coverage and security.
B. Install the two high-end WAPs enabled for WPA3 to provide the best
coverage and security.
C. Install the four medium-end WAPs enabled for WPA to provide the best
coverage and security.
D. Install the four medium-end WAPs enabled for WPA2 to provide the best
coverage and security.
2. Ellen gets a call from a local café she provides tech support to, complaining that
some users on older devices can’t connect to the newly upgraded WAP (but they
could connect to the previous WAP). What could be the problem?
A. She set up the WAP to use WPA and TKIP.
B. She set up the WAP to use WPA2 and only AES.
C. She set up the WAP to use mixed mode.
D. She set up the WAP in open mode.
3. Which Cisco authentication protocol provides the best wireless security?
A. 802.1X
B. EAP-TLS
C. EAP-FAST
D. LEAP
4. Jane runs a coffee shop that shares walls with two other businesses. She wants
to install a Wi-Fi network for her clients, but wants to make sure she’s neither
sharing the network with the other businesses nor interfering with their wireless
07-ch07.indd 398
25/03/21 2:16 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Questions
399
networks. She has the option of installing one or more 802.11ac WAPs with
omnidirectional antennas. What’s her best option in this scenario?
A. Jane should install one WAP in the center of her establishment.
B. Jane should install one WAP in the center of her establishment and then
reduce the power level.
C. Jane should install one WAP in the center of her establishment and then
increase the power level.
D. Jane should install two WAPs, one on either wall, and point the antennas to
the center of her establishment.
5. Andre wants to hack a Wi-Fi network (for learning purposes!). Which type of
tool would enable him to find the wireless signals to start the attack?
A. Wireless survey
B. Packet capture
C. WEP cracking
D. WPA cracking
6. Which of the following can happen if an attacker sets the power levels on a rogue
access point to overpower the wireless transmissions of a legitimate access point?
A. Jamming
B. Beaconing
C. Deauthentication
D. Spoofing
7. Jaime was working on a term paper at the local café and noticed that her
connection to the WAP kept dropping. Her system would reconnect rapidly, but
the behavior was odd. Which of the following kind of attack would most likely
create this scenario?
A. Bluejacking
B. Deauthorization attack
C. Jamming
D. Replay attack
8. Which of the following technologies requires that two devices be within four
inches of each other in order to communicate?
A. 802.11i
B. WPA
C. Bluetooth
D. NFC
07-ch07.indd 399
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 7
Chapter 7: Securing Wireless LANs
400
9. Ezra has been tasked to provide for a hotel a Wi-Fi solution that enables hotel
staff to control who can access the wireless resources. The solution should include
both location and login authentication. What might accomplish those goals?
A. Captive portal
B. Disable SSID broadcast
C. MAC filtering block list
D. MAC filtering allow list
10. Which of the following options will provide a graphical representation of the
wireless signals—including their strength—in a site survey?
A. Bluesnarfing
B. Captive portal
C. Heat map
D. RFID map
Answers
1. B. WPA3 completely trumps earlier Wi-Fi encryption standards in terms of security.
2. B. Most likely, Ellen set up the WAP to allow only traffic encrypted with WPA2
and only AES. Although it will reduce security, changing the WAP to mixed
mode would provide support for older Wi-Fi clients.
3. C. Of the two Cisco authentication protocols listed here, EAP-FAST offers way
better security (through TLS) than LEAP (WEP and RC4).
4. B. It’ll require some experimentation, but reducing the power level for a centered
WAP should make the signal available only for her customers. Such a setup
reduces signal bleed into other spaces.
5. A. Starting with a wireless survey or stumbler tool would enable Andre to find the
signals he wants to capture. He could follow up with a packet capture tool, like
Airodump-ng, and then hammer the packets for content with an attack tool.
6. A. Jamming, intentional interference on a wireless network to cause denial of
service, can occur if an attacker sets the power levels on a rogue access point to
overpower the wireless transmissions of a legitimate access point.
7. B. Although you could make an argument for a jamming type of attack, this is
most likely a deauthorization attack, kicking Jaime’s system off the WAP in hopes
that it would connect to an evil twin WAP.
8. D. Near-field communication (NFC) requires that two devices be within four
inches of each other in order to communicate.
9. A. Creating a captive portal would provide the desired solution, especially the
login authentication.
10. C. A heat map provides a graphical representation of the wireless networks—and
their relative signal strengths—in an area.
07-ch07.indd 400
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
CHAPTER
Securing Public Servers
8
With Cloud Computing, it is no longer a question of If,
but rather When and How.
—Ludmila Morozova-Bussva
The world accesses public servers—resources on the Internet—to live and prosper in the
global economy. IT security professionals must secure public servers or the world will
simply fail. (Dramatic enough intro to this chapter? It’s good stuff, so read on!)
This chapter explores how security professionals deal with public servers, emphasizing
cloud computing, in four modules:
•
•
•
•
Attacking and Defending Public Servers
Virtualization Security
Cloud Deployment
Securing the Cloud
Module 8-1: Attacking and Defending Public Servers
This module covers the following CompTIA Security+ objectives:
• 1.4 Given a scenario, analyze potential indicators associated with network
attacks
• 2.2 Summarize virtualization and cloud computing concepts
• 3.3 Given a scenario, implement secure network designs
Anytime you connect a server to the Internet, you expose that server to all the evils
and troubles lurking out there. The fact that anyone can at least attempt to connect to
your server gives bad actors with access to a DNS name or IP address a lovely attack surface, thus giving them the opportunity to try to do something nefarious to your server.
This module first describes a distributed denial-of-service attack and then discusses
some of the tools used to secure public-facing servers and mitigate the effect of these attacks.
401
08-ch08.indd 401
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
402
Distributed Denial-of-Service
If a bad actor wants to disrupt your organization’s normal operations, one of the most
disruptive actions they can attempt is to make one of your Internet-connected servers
stop working so that server can no longer provide essential resources. There are plenty
of ways to attempt this, but for the most part security professionals have learned from
experience how to stop the vast majority of attacks, with one exception.
A distributed denial-of-service (DDoS) attack is when many systems send requests to
a server with the goal of swamping the server with clients so that it responds too slowly
for legitimate users or, in some cases, causes the server to reboot/lockup/fail in some way
(Figure 8-1). The attack can stop a specific application (such as a Web server) or drop an
entire network if successful. DDoS attacks on operational technology (OT) sites such as
power plants that might be running on older systems can prove particularly disruptive
and devastating.
NOTE A denial-of-service (DoS) attack involves one system sending lots of
requests to a single server. A DDoS attack is when hundreds, if not thousands,
of systems send requests to a single server.
So how do we get lots of systems to work together to attack a specific server? Why,
malware of course! A bad actor might send hundreds of thousands of e-mail messages
to infect as many systems as possible. The zombie computers may run for months with
malware that doesn’t affect the systems . . . until it’s time to attack!
The problem with this simple DDoS attack is the fact that most servers are designed to
handle a huge number of requests per second. To make the server work harder, attackers
Figure 8-1
The basic DDoS
One moment
please!
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
HTTP ACK REQUEST...HTTP ACK REQUEST...
Web Server
DDoS Attackers
08-ch08.indd 402
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-1: Attacking and Defending Public Servers
403
not only send lots of requests, they do things to the requests so the server has to spend
relatively large amounts of time per request to deal with them. Here are a few ways an
attack can do this:
• Send lots of UDP packets to random port numbers on the server, making it respond
to them with errors
• Use lots of bogus IP addresses, forcing the server to wait for a response from a client
that doesn’t exist
• Send intentionally mangled requests, forcing the server to try to read them and
hopefully timeout (Figure 8-2)
• Send lots of requests without ever responding
• Send lots of requests but respond just slow enough that the server keeps the
connection
• Take advantage of some weakness in the server software to make bad things happen
Keep in mind that each of these ways is just a strategy. There are many methods that are
useful in DDoS attacks.
DDoS attacks plague networks today. As quickly as certain forms of attacks are discovered and stopped, bad actors only need to make subtle changes as they discover new
weaknesses and then repeat the same types of attacks. Protecting public-facing servers
from DDoS starts with making server configuration secure.
Can’t...Keep...Up...
Arrggg!!!
Malformed ACK REQUEST...Bad ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Malformed ACK REQUEST...Bad ACK REQUEST...
Bad ACK REQUEST...Malformed ACK REQUEST...
Web Server
Extra Evil DDoS Attackers
Figure 8-2 Making DDoS harder
08-ch08.indd 403
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
404
Route Security
Routers enable networks to interconnect. Network engineers focus on secure network
design principles with routers to ensure the information that enables that interconnectivity stays safe and uncorrupted. The details of the routing tables matter.
A lot of this you’ll remember from your CompTIA Network+ (or equivalent) studies, that every routing protocol—RIPv2, BGP, EIGRP, OSPF—supports route authentication. Neighbor authentication, for example, makes certain that routers know which
neighbor to trust and accept only reliable routing information. Protections such as this
prevent bad routes from getting into routing tables and stop naughty information, like
malformed packets, from messing up routing.
Implementation of route security measures goes well outside the scope of CompTIA
Security+. But you need to know that ensuring route security is an essential part of network design.
Quality of Service
The quality of service (QoS) router feature enables you to control the bandwidth of different protocols coming through a router. With QoS you can assign a minimum or a
maximum bandwidth set either as a percentage of the router’s total bandwidth or as a set
speed (MB/sec, for example).
The QoS feature makes sure that certain protocols never max out the router and
ensure that critical protocols always have adequate bandwidth. Figure 8-3 shows a typical
implementation of QoS that sets the maximum any application on the network can grab,
thus making sure other applications have bandwidth too.
QoS is also a relatively handy way to provide some security to your router. Let’s say
that you want to enable SFTP on your router but only to occasionally update a single
small file. This will never take much bandwidth, correct? So why not give SFTP only
a tiny amount of bandwidth just in case a bad actor wants to try to use it to do a lot of
downloading? It won’t stop them, but it will slow them down dramatically.
Monitoring Services
It’s generally a bad thing if a public-facing server stops serving. The server’s administrators need to know as soon as possible if any issue arises that prevents the server from
serving on a timely basis.
The only way to determine a server’s status is by monitoring the server. Monitoring
might be as simple as trying to log onto the server or as complex as using remote tools
to query logs and events and comparing them to baselines to see how the server is performing. File integrity monitors, for example, check for baseline deviations and can alert
administrators of problems. Basically, any file integrity monitoring (FIM) needs to answer
these three questions:
• Is the system up?
• Is the system too busy?
• Are strange things happening?
08-ch08.indd 404
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-1: Attacking and Defending Public Servers
405
Figure 8-3
Smart Queue Management QoS on a Ubiqiti EdgeMAX router
System monitoring is a thankless job but a necessary one. Any competent administrator should have little difficulty setting up a monitoring system, but start adding more
servers (and more servers requiring 24/7 monitoring), and the workload becomes unrealistic for all but the largest of organizations.
Luckily, moving your servers to the cloud gives administrators access to organizations who will take over the monitoring of your servers for a (relatively) small monthly
cost. You give these monitoring services access to your server, usually by giving them an
account on the server or by installing a software “agent” on your servers, and they’ll happily take over all the mundane monitoring for you.
NOTE Monitoring services are most common on the cloud, but they’re
perfectly capable of monitoring on-premises servers as well.
Companies that provide security monitoring services are one example of managed
security service providers (MSSPs), a subset of managed service providers (MSPs). An MSP
is an organization that provides some form of IT service for a fee. MSPs provide backup,
08-ch08.indd 405
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
406
infrastructure, and storage services. If you have a need for any type of IT service, there’s
an MSP out there for you! An MSSP is nothing more than an MSP that concentrates on
IT security, such as a monitoring service.
Module 8-2: Virtualization Security
This module covers the following CompTIA Security+ objective:
• 2.2 Summarize virtualization and cloud computing concepts
Virtualization dominates today’s computing world. If you’re accessing a Web app on
the Internet, you are almost certainly accessing a virtual machine. If you use iCloud,
Dropbox, or Google Drive, your files, photos, and songs are stored on virtual machines.
Even within most LANs, the Windows and Linux servers are commonly virtualized.
This module covers virtualization and the many security issues involved with virtualization. Security features span both virtualization and the cloud, as you’ll see
(Figure 8-4).
EXAM TIP The CompTIA Security+ exam might ask you to compare various
virtualization and cloud services, noting the location of these services.
Pay attention in this module and the next to the differences between
on-premises vs. off-premises (also called hosted or cloud), primarily about
who’s responsible for maintenance and service. (On-premises means you
have to do the work; off-premises means you don’t. Hosted services have
techs who don’t work directly for you; cloud abstracts the whole thing away
and you just don’t worry about it.)
You probably have an idea of what virtualization involves. You may have learned about
only part of it, however, or perhaps you have been peripherally involved in setting up a
virtual environment. Maybe you’ve put together a test lab on a single PC and run a few
virtual machines on it, or perhaps you’ve designed and architected an entire virtualized
environment for a large organization. In any case, you’ll need to be familiar with several
important concepts for the exam, so we’re going to cover them here. These concepts include
virtualization architecture, containers, virtualization risks, and virtualization for security.
Figure 8-4
Cloud and
virtualization are
closely related
They’re like peas
and carrots.
Virtualization
The Cloud
08-ch08.indd 406
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-2: Virtualization Security
407
Virtualization Architecture
In the basic sense, virtualization means to run an entire instance of an operating system
on a host physical machine. The virtual machine (VM), or guest, exists as a file in an
application. Applications known as hypervisors create and use these files to initiate a VM.
When the VM is turned on, the hypervisor acts as a mediator between the host operating system and the guest operating system, providing access to both physical and logical
resources. These resources could include sound cards, network connections, hard drives,
USB drives, and any other peripherals that a physical machine could use.
EXAM TIP Oddly, CompTIA dropped hypervisor from the Security+
objectives when going from SY0-501 to SY0-601. We assure you that any
discussion of virtual machines in the real world includes hypervisors. Don’t
be surprised to see the term in questions on your exam.
As far as the virtual machine is concerned, it doesn’t “know” that it is not a physical
machine; it functions as if it were a completely solid physical device. That means that it
behaves as a physical device and can run applications, service user requests, make network connections, and so on. You can use VMs as file servers, user workstations, DNS
servers, Web servers, and almost anything else that a physical machine can do. Unfortunately, this also means VMs have the same weaknesses as physical devices, and they must
be secured and hardened against attack.
You can run almost any operating system as a VM—Windows, Linux, UNIX, BSD,
and (to a lesser extent) macOS. Even the Android operating systems used in mobile
devices can be run as a VM. The host machine, on the other hand, can also run various
operating systems, including Windows, Linux, or macOS. The real requirement is that a
compatible application must create and run VMs on a particular host operating system.
That brings us to the discussion of hypervisors.
There are two types of hypervisors: Type 1 and Type 2 (Figure 8-5). A Type 1 hypervisor
is a limited-function, stripped-down operating system in its own right. It runs the host
machine and serves to provide the single functionality of managing the VMs installed on
it. These types of hypervisors are usually called bare-metal (or sometimes native) hypervisors, because they provide a very limited functionality and only boot up the physical
machine and handle resource access from the VMs. Several popular Type 1 hypervisors
are available; some of them are even free to use. Microsoft has a Windows-based hypervisor (Hyper-V); the Linux community has a lot, such as Kernel-based Virtual Machine
(KVM). Commercial hypervisors are also available, such as those developed by VMware.
NOTE You’ll see Roman numerals used by some sources for the hypervisor
types, so Type I and Type II.
For the most part, Type 1 hypervisors are usually installed and then run in “headless” mode, meaning that they don’t require a user to sit down at a keyboard console or
monitor. They are usually managed remotely through a Web browser on a workstation
08-ch08.indd 407
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
408
Virtual
Machine
Virtual
Machine
Virtual
Machine
Type 2 Hypervisor (e.g., VirtualBox)
Figure 8-5
Virtual
Machine
Virtual
Machine
Virtual
Machine
Host OS (Windows, Linux)
Type 1 Hypervisor (Hyper-V, ESX)
Hardware
Hardware
Type 1 and Type 2 hypervisors
after their network connectivity has been set up. Figure 8-6 shows an example of how
VMware’s ESXi server, a popular bare-metal hypervisor, is accessed and managed remotely
via a browser (Apple Safari, in this case). Rarely, an administrator might have to sit at a
console at the host server to perform configuration tasks that can’t be done remotely.
A Type 2 hypervisor is an application that runs on top of a host operating system. You
may have used a hypervisor product such as VMware Workstation, Oracle VirtualBox, or
Parallels for macOS. These are Type 2 hypervisors that can be used to create and manage
Figure 8-6
08-ch08.indd 408
Accessing an ESXi server through the Safari Web browser
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-2: Virtualization Security
409
a limited number of virtual machines. Usually these types of hypervisors are used in small
environments to create and test different aspects of virtualization. For larger production
environments used in businesses, Type 1 hypervisors are normally used and are typically
installed on very powerful, robust physical hardware. Figure 8-7 shows the user interface
of VirtualBox, a popular free hypervisor application produced by Oracle.
Virtual machines can also have unique network architectures. They can use multiple network configuration options, depending upon the type of host system they are
installed on. You can configure a network connection that is directly connected to the
outside network through the host machine’s network interface card, and the VM receives
its IP addressing information from the outside network. This is called bridging. A VM
could also receive its IP addressing information directly from the hypervisor installed on
the host. In this regard, the hypervisor acts as a Dynamic Host Configuration Protocol
(DHCP) server and provides private IP addressing (through network address translation,
or NAT) to the virtual host—the VMs within the host machine. The host would then act
as the default network gateway for any VMs installed on it.
You can set up a virtualized network within the host so that only virtual hosts can
communicate with it and each other. In other words, they can’t contact the outside
world through the virtual network unless the host is configured to allow it. You can
Figure 8-7
08-ch08.indd 409
VirtualBox Type 2 hypervisor
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
410
configure the network portion of the virtual environment in several different ways,
based upon how you want VMs to communicate with the outside network, the host,
and each other.
Containers
VMs are great. VMs enable you to use the wildly powerful hardware of modern computers to create full operating system environments that you enable or disable at will. The
OSes run applications. They network. They are, for all intents and purposes, unique
computing machines. A VM requires an operating system, a license for that OS, configuration, security, and so on. But what if your network needs are simpler?
Containers offer a related experience to a VM, except that they include only the essentials of a network application—what you might think of as a server, plus programming
that enables that application to run on any OS and network with other systems. Putting
applications into containers—called application cells in some systems—enables software
developers and distributors to spin up any number of copies of their functioning applications for testing purposes and more. When done right, containers enable application
spin-up to happen almost instantly and make it much easier and simpler for network
admins to manage servers. Docker provides the most common platform, or management
system, for containers (Figure 8-8).
NOTE Docker didn’t invent containers; they’ve been around for decades.
Docker just packaged containers as a great way to manage application
development and deployment in a clever and easy-to-use way.
Figure 8-8
08-ch08.indd 410
Docker architecture
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-2: Virtualization Security
411
Virtualization Risks
Of course, even beneficial technologies like virtualization have inherent risks. Virtualization is the solution to many problems, such as scalability, hardware production, and even
security in some respects, but it also has risks. For example, with virtualization, single
points of failure for host machines are risks, because if the host machine becomes unavailable, loses connectivity, or encounters a serious hardware error, all the virtual machines
that reside on it are also lost. In addition, because multiple VMs may be running on a
host, and some may have several services running on them, this adds to the attack surface
of the host. All the services that the VMs run communicate with the outside world and
the network, so they all represent different attack vectors as well. These represent a threat
not only to each VM but also overall to the host.
Yet another risk involves redundancy and availability. Although virtualization helps
in ensuring redundancy and availability, failure on the part of administrators to take
advantage of these features could result in the loss of critical data if a VM fails and it has
not been backed up or otherwise preserved. Security could also be considered at risk with
VMs because complacent administrators often mistakenly think that securing the host
machine is enough, and sometimes they forget to secure the VMs as well. So don’t be
surprised when you encounter a fairly secure host machine that has VMs running on it
that have blank passwords or default security configurations. Remember that almost any
risk that a physical machine can incur can also be incurred on a VM. You should take the
same security measures on VMs that you take on a physical machine.
VM Sprawl
Once you have a hypervisor up and running, authorized users can easily whip up new
VMs anytime they wish; that creates a problem called VM sprawl. VM sprawl is the outof-control creation of VMs outside your security control. Your marketing department
spins up a new Web server for a job fair; the engineering department makes a VM to test
some new software they’re thinking about buying; the IT department adds extra servers
to run, as they say, stuff.
VM sprawl is a huge problem without a simple answer other than good monitoring.
Network administrators need to implement policies or practices for VM sprawl avoidance. Every hypervisor has authentication tools to limit who can make VMs. Use those
tools. Make clear policies that prohibit users from building their own hypervisors or,
even worse, buying their own cloud VMs! Other than that, your job is to maintain good
inventory of all existing VMs and to perform ongoing monitoring to look for new VMs
that shouldn’t be there.
VM Escape
VM escape takes place when a user inside a VM finds a way to break out (escape) the VM
and somehow get into the underlying hypervisor/host operating system. Network
security people need to know the problem and implement, as much as possible, VM
escape protection.
On the good side, VM escape exploits terrify the IT world and, once detected, are very
quickly patched. On the downside, there is no anti-VM escape tool. Hopefully, you’ll have
08-ch08.indd 411
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
412
intrusion detection or intrusion prevention tools to mitigate the attack, like any other
attack. As mentioned earlier, VMs need all the same security tools used on physical systems.
Hardening Virtual Machines
Locking down and securing virtual machines is not much different from doing the same
to physical hosts. All the security considerations for physical hosts also apply to VMs.
They require frequent patching and updating; they require locking down configuration
settings; they need secure account settings; and when setting up users, you should follow the principle of least privilege. One nice thing about a VM is that once you have
hardened the configuration as needed, you can always use it as a baseline and replicate
it multiple times, so that each VM you create starts out with that hardened baseline
and requires only recent patches or configuration changes. This makes it much easier to
deploy VMs on a large-scale basis.
VMs require network connectivity to ensure that patches get updated in a timely manner. You also need to make sure that you install anti-malware on the VMs, since, like all
networked hosts, they are susceptible to malware from Web sites, malicious files, and so
forth. They should all also have host-based firewalls or multipurpose packages that take
care of firewall, anti-malware, and intrusion detection software.
In addition to the normal things that you would do to secure physical hosts, VMs
lend themselves to some other security measures. When not active, VMs are simply files
located in storage, and as such they can be protected through permissions, encryption,
and separation, the same as you would protect any other types of sensitive data files. They
can also be copied and stored securely on secure media. Also like physical machines, VMs
should be backed up periodically to ensure availability, as discussed next.
Snapshots and Backups
Like physical machines, virtual machines also need to be backed up from time to time.
VMs have some advantages, however, in that they are native files located on a file system
of some sort, so you can treat them like files for backup purposes. You could perform file
backups to network-based or offline storage, and you could also encrypt these files when
they’re backed up. You can also restore these files at will if a VM fails or becomes inaccessible. And you can use them to create additional duplicate VMs for redundancy purposes.
You can also perform snapshots on VMs. A snapshot is a point-in-time backup of the
current system state of the VM. This means the VM would back up and preserve any
applications in use, user data, or other configuration details specific to that system’s state
at that moment. You could take a snapshot of a VM before installing a new application or
a critical patch, for example, and save the snapshot so that if the patch or software caused
a functionality or security issue, the snapshot could be restored, enabling you to revert to
the state the VM was in before the installation. You can use incremental sets of snapshots
or combine them with traditional backup methods to maintain highly focused, comprehensive system state backups for availability.
Using Virtualization for Security
Virtual environments can provide stable, segregated environments in which to test applications, software, and even malicious code. Virtualization can also contribute to system
08-ch08.indd 412
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-2: Virtualization Security
413
and data availability by maintaining multiple redundant copies of identical virtual
machines. In the next few sections, we’ll go into a bit more detail on how virtualization
contributes to the overall security posture in the organization.
Patch Compatibility
You already know that you should test patches before applying them to production environments. This is because sometimes patches have unforeseen negative effects on production hosts, which can quickly take down critical operations. One thing that a virtual
environment can give you is a complete test environment that mirrors the production
environment. You can copy a physical machine and create an identically configured VM
out of it. You can use this to your advantage by creating an almost exact replica of your
physical environment in the virtual world, and test your patches, configuration changes,
and updates in this test environment before you apply them to the physical machine.
This helps avoid unintentional issues when you apply patches to production machines.
It also provides you an opportunity to see where issues may exist and determine ways to
correct them before the patch goes into production.
Host Availability and Elasticity
Virtual environments offer organizations real flexibility in the use of their infrastructure
for both availability and elasticity. Virtualization supports availability in that you can
almost instantly duplicate production hosts (whether physical or virtual) in a virtual
environment, adding redundant capabilities for availability purposes or assets for use
when existing hosts aren’t enough. You can copy physical machines and convert them to
virtual machines and, because VMs are merely files, you can copy and reinstantiate them
as new additional VMs (with a few basic configuration changes, of course).
Virtualization provides elasticity, meaning you can expand, duplicate, reconfigure,
repurpose, and reuse resources in the environment (in this case, virtual hosts) on the fly,
as the need for them arises or shrinks. This provides an organization flexibility in its use
of resources, saving physical machines and reallocating, activating, and deactivating hosts
as needed in dynamic-use situations. Virtual machines can be provisioned, configured,
and stored in advance for just such instances.
Virtualization applies to networking components as well, enabling rapid scalability
and adaptability of networks of VMs. Software-defined networking (SDN) enables centralization of portions of the routing and switching (such as creating and maintaining
routing tables), which can then be rapidly pushed to routers and switches that only
handle the packets and frames. Current SDN boxes employ security features that can
rapidly respond automatically to attacks such as DDoS attacks.
Security Control Testing
Virtualization enables security professionals to test various security controls on virtual
hosts, either before implementing them in production or as changes to the production environment occur. You can configure different controls to test effectiveness and
functionality, to ensure that the appropriate control is implemented correctly for the
environment. This can help confirm whether a new security patch will break an application; whether a configuration change is effective in reducing a vulnerability; whether a
08-ch08.indd 413
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
414
change to an operating system’s function or configuration breaks its security baseline; and
whether a target host is configured as securely as you need it to be for vulnerability and
penetration-testing purposes.
Sandboxing
Sandboxing provides an enclosed environment in which to run potentially dangerous
applications, or even malware, to determine the effect they would have on the environment. Often, security professionals need to see the effects of an application or software
on a host to determine how it interacts with the system and the network. This can help
them identify potential issues with untrusted software, such as executables and scripts.
Sandboxing allows you to test potentially harmful software in a controlled, isolated environment, without the possibility of affecting other hosts or allowing unwanted communication to the network. Virtualization provides sandboxing capabilities by giving you
the option of running an isolated virtual host for that purpose.
Module 8-3: Cloud Deployment
This module covers the following CompTIA Security+ objectives:
• 2.2 Summarize virtualization and cloud computing concepts
• 2.4 Summarize authentication and authorization design concepts
• 3.6 Given a scenario, apply cybersecurity solutions to the cloud
It didn’t take very long after the introduction of virtualization for some clever people
to realize something simple yet amazing. They could build a big server farm in a central
location, fill it with servers, load a VM hypervisor on each of those servers, and add a
(relatively) easy-to-use, Web-based interface so that thousands of paying customers could
create and manage their own VMs. That’s the core of what cloud computing is all about.
Cloud computing simply means to move computers, or at least some aspect of those
local computers, to a location only identified with an IP address or a DNS name. Think
of cloud computing just as you would any other service you pay for—such as water, electricity, cable, phone, Internet, and so on—except that now you’re paying for computing
as a service. Those computing services run the full gamut, from processing power, storage,
applications, and more.
NOTE Cloud computing isn’t just for the public Internet. You’ll see private
clouds as well later in this module.
Cloud computing got its name from the many network architectural diagrams, such
as the one shown in Figure 8-9, where the Internet is portrayed as a cartoonish cloud
figure, meaning it’s abstracted from the rest of your network beyond your perimeter and
Internet service delivery point.
08-ch08.indd 414
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-3: Cloud Deployment
415
The Internet
et
WAN Connection
Exterior Router
Firewall
Access Switch
Company Servers
Figure 8-9
The cloud
Cloud computing offers many advantages, because it removes all the responsibility
and overhead for maintaining data storage and processing in your computer, or even
on your premises, and hands it over to a cloud service provider. A cloud service provider
(CSP) essentially is a third party that owns a data center full of virtual servers, with
multiple fast connections to the Internet. The CSP installs different types of operating
systems and applications on its servers so that it can provide different services to customers via the Internet.
Interestingly, with the shift of responsibility over mundane aspects of computing, like
hardware maintenance, operating system updates, application patches, and updates from
on-premises administrators to the CSP, the overall responsibility for authentication and
authorization remains in the hands of local administrators. In a typical small office, for
example, the local admin runs a Microsoft Active Directory domain and handles user
accounts, groups, permissions, and so forth. Scaling up to a medium or larger organization, teams will handle the various aspects of Active Directory, but it’s essentially the same.
Moving to the cloud with software as a service (SaaS) offerings such as Microsoft 365
just shifts the security structure from local Active Directory to Azure Active Directory.
08-ch08.indd 415
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
416
The local or enterprise administrators continue to handle user accounts, groups, permissions, and so forth, but they’re Azure Active Directory accounts, groups, etc.
What the organization’s administrators gain by going to the cloud is that they don’t
have to deal any more with maintenance and upgrades of hardware, operating systems,
and applications. The CSP handles all that. Authentication and authorization remain the
responsibility of the organization’s IT administrators.
EXAM TIP Expect a question on the CompTIA Security+ exam that compares
or contrasts cloud vs. on-premises requirements. In a nutshell, cloud
deployments put fewer demands on local hardware, but higher demand on
network bandwidth; security focuses on cloud solutions (see Module 8-4 for
specifics). On-premises networks require more local hardware firepower and
a lot more local expertise from techs and administrators. And the differences
are about responsibility for security.
As you’ll see in the next several sections of this module, cloud service providers can
offer all types of services. Let’s look at cloud deployment models, cloud architecture
models, and then wrap with “Cloud Growing Pains.”
Let’s Talk Amazon
Before we go any further, we have to take a moment to recognize the king of all cloud
service providers: Amazon Web Services (Figure 8-10). Amazon certainly didn’t invent
cloud computing, but Amazon was the first public CSP that made the idea of cloud
computing popular and widespread. Using innovative ideas and deep economies of
scale, AWS dominates the cloud and stands as the one of the largest public CSPs. All
hail AWS!
Over the years AWS has seen many superb competitors enter the cloud marketplace:
Google Cloud, Microsoft Azure, and IBM Cloud, just to name a few. Although the organizations backing these competitors are also very large, Amazon was the first to market,
Figure 8-10
AWS is the king
of the cloud
service providers
I’m the King
of the Cloud!
Amazon Web Services
08-ch08.indd 416
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-3: Cloud Deployment
417
and as the cloud leader AWS created many terms that are common lexicon for the cloud
industry. The CompTIA Security+ exam leans heavily on some of these terms, so you need
to know them. Let’s dive right in with regions, zones, compute, storage, and network.
Regions
AWS divides the globe into over 20 regions. By default, your location is based on your
physical location, but you may add regions (for extra cost) when you need wider coverage. The following are a few sample AWS regions:
• us-west-1 US West (Northern California)
• us-west-2 US West (Oregon)
• af-south-1 Africa (Cape Town)
Zones
AWS divides regions into multiple availability zones to provide even more geographic
separation to get your application even closer to end users. Here are some examples of
AWS zones, part of the us-west-1 region used in the United States:
• us-west-2-lax-1a US West (Los Angeles)
• us-west-2-lax-1b US West (Los Angeles)
Amazon Product Categories
When AWS first opened, it basically offered a single product: public-facing virtual
machines that you could configure and run individually. You want two VMs? Great! Just
spin up a second one! You want more? Go nuts! Over time, AWS has invented (or copied)
so many more products beyond this single system that Amazon was compelled to invent
an organization for these product categories, which initially consisted of three categories:
Compute, Storage, and Network. As you can see in Figure 8-11, the categories have gotten a lot more granular since then.
EXAM TIP AWS uses the terms Compute, Storage, and Network. Know them,
as they are objectives on the CompTIA Security+ exam.
Compute Products Any product that has to do with computation is a Compute
product. AWS’s Amazon Elastic Compute Cloud (Amazon EC2) is the compute product
you use to create VMs (AWS calls an individual VM an instance). Need to run containers
on the cloud without spinning up your own instance? Then try Amazon Elastic Container
Service (Amazon ECS).
Storage Products AWS Compute products generally come with just enough storage
to boot your OS and that’s about it. If you need more data storage, you’re going to want
an AWS Storage product; the secret here is knowing what you need to store. Looking
for general-purpose storage, the equivalent of adding an extra drive to the system? You
want Amazon Simple Storage Service (Amazon S3). Want a cheap backup solution?
08-ch08.indd 417
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
418
Figure 8-11
AWS main product page (https://aws.amazon.com/products)
Try AWS Backup. Got a huge FTP/SFTP/FTPS site and want to move it all to AWS?
Then you need the AWS Transfer Family.
Network Products If you can move individual systems up to the cloud, then why not
move a network up there as well? Any AWS product that provides or supports networking
on the cloud goes into the Network product line. If you have multiple instances on the
cloud, why not tie them together with a virtual network? That’s Amazon Virtual Private
Cloud (Amazon VPC). On AWS, never call your virtual network a virtual network—call
it your VPC if you want other techs to understand you. Would you like your on-premises
servers to talk easily to your VPC? Then grab AWS Transit Gateway.
Get Used to AWS Terms!
If you want to get into cloud security, if you want to pass the CompTIA Security+
exam, you need to get comfortable with these terms that AWS has introduced. The cloud
industry may be over ten years old, but it continues to grow in terms of size and services.
This is in no way a complete list of AWSisms, but this will get you started—and most
importantly through the CompTIA Security+ exam.
NOTE These terms are now standard across the cloud industry, but AWS
invented them.
08-ch08.indd 418
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-3: Cloud Deployment
419
Software as a Service
Platform as a Service
Infrastructure as a Service
Figure 8-12
A notional cloud service architecture
Cloud Deployment Models
There’s not really a one-size-fits-all cloud deployment model—online services that people
can rent or buy. The next few sections explore several types of cloud services offered
by cloud service providers. Some of these services are simplistic, such as data storage,
for example, but others are very complex and can supplement or even replace parts of
enterprise-wide infrastructures. Many of these types of services are scalable, meaning
that anyone from home users, to small businesses, to large corporations can make use
of them. We’ll discuss these services from a business perspective, of course, but similar
principles apply, whether a business is a small-office/home-office type of setup or a large
corporate enterprise that spans several geographical locations. In Figure 8-12, you can see
an example of how cloud services might be organized.
Software as a Service
With software as a service (SaaS), customers run software that’s stored in the cloud (almost
always on a virtualized server) and used via a Web URL or, in some cases, a client program stored on a local system. SaaS is wildly popular today. Voice over IP (VoIP) services
such as Skype and Google Voice provide voice/video communication. Cloud storage solutions such as Dropbox and Microsoft OneDrive provide terabytes of storage for files;
by definition, that storage resides outside the physical network. Even traditional office
applications are now available via SaaS. Microsoft offers Office as an SaaS solution via
Microsoft Office 365 (Figure 8-13).
08-ch08.indd 419
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
420
Figure 8-13
We wrote this textbook entirely with Office 365
SaaS offers several advantages to businesses. First, software licensing costs less via the
cloud. The software licensing may be subscription-based, so an organization may purchase licenses based upon numbers of users or concurrent connections. Second, an organization can avoid the legal ramifications of software piracy, since an application on the
cloud can’t be easily copied and transferred from computer to computer or taken home
by employees. In fact, the organization doesn’t have to store or manage any media at all,
because the software is stored and used in the cloud, with the exception of occasional
small components downloaded to a user’s workstation.
Security as a service (SECaaS) is a subset of SaaS that focuses only on bundling security
solutions. As you might imagine, the security solutions offered run the gamut of every
security solution you would implement on premises, such as security assessments, vulnerability scanning, and so on.
Infrastructure as a Service
Infrastructure as a service (IaaS) goes beyond posting simple software applications in the
cloud. IaaS provides entire machines, such as Windows or Linux hosts, for example, for
remote connection and use. Of course, these aren’t physical machines; they are virtual
machines hosted by a CSP’s infrastructure. Users simply connect to them via the Remote
Desktop Protocol (RDP) or another secure remote connection protocol and use them
as they would any other computer. Users can run applications installed on the virtual
machine, create content, process data, and perform any other typical tasks they would
perform on a physical machine. An example of IaaS is Amazon EC2; Figure 8-14 shows
the EC2 interface for creating a new VM (AWS calls VMs instances).
08-ch08.indd 420
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-3: Cloud Deployment
421
Figure 8-14
Interface for Amazon EC2
Usually, however, IaaS implementations provide servers rather than workstations;
most businesses that leverage an IaaS provider do so for server VMs. The advantage
of having virtual servers through an IaaS provider is that the business doesn’t have to
provision, manage, or maintain huge server farms or data centers—all that’s done for
them by the provider. The provider handles patches, updates, configuration, and so on.
Additionally, licensing for servers provided through an IaaS contract is usually far more
streamlined, and cheaper.
Platform as a Service
Platform as a service (PaaS) offers a business a computing platform—such as a Web application server or database server, for example—that it can use to provide services both
internally and to customers on the Internet. Many online storefronts use this model to
conduct business, rather than hosting on their own premises the physical servers, Web
sites, databases, and applications. Again, the advantages of using this type of service
are cost savings, no requirement to build and maintain the infrastructure on site, and
the guarantee of around-the-clock availability—plus, the PaaS provider takes care of the
patching and configuration work.
Anything as a Service
The big three—SaaS, IaaS, and PaaS—get a lot of attention, but today anyone can
develop virtually (pardon the pun) any type of resource, software, or application that
anyone might need. With anything as a service (XaaS) your choices are vast.
08-ch08.indd 421
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
422
Monitoring as a Service (MaaS), for example, provides continuous tracking of the
health of online services used by an organization, such as systems, instances, networks,
and applications. Like with other cloud services, this XaaS variety puts the maintenance
and security into the hands of the CSP, relieving on-premises administrators from those
responsibilities.
Another interesting XaaS is desktop as a service (DaaS), which provides users with
their own virtual desktops. Their actual physical machines don’t really matter: they can be
full desktops, thin clients, tablets, or smartphones. No matter where users are located or
what they have at hand, they have instant access to their desktop.
EXAM TIP You’ll recall thin clients from your CompTIA A+ studies, essentially
a keyboard, mouse, and monitor that access an operating system,
applications, and data remotely. Expect a question on the CompTIA Security+
exam that explores thin clients as direct components of cloud computing.
DaaS competes directly with more traditional Citrix-developed virtual desktop infrastructure (VDI), where an enterprise sets up a central server to provide desktop interfaces
for users. Just like with other virtualization and cloud-based services, DaaS takes the
managing of hardware and software out of the hands of local IT staff, freeing them up
for other tasks.
NOTE The CompTIA Security+ acronym list includes Virtual Desktop
Environment (VDE), but that’s not all that common a usage. VDE usually
stands for Virtual Distributed Ethernet, a networking virtualization technology
used in Linux. Neither use of VDE is synonymous with VDI.
Cloud Architecture Models
Although we stated that cloud environments are operated primarily by large companies
with huge data centers, this isn’t always the case. In fact, an increasing number of clouds are
popping up that follow a few different architecture models. These include private clouds,
public clouds, and a few other models we’ll briefly go over. Any of these various cloud
architectures may be used, depending on the organization’s specific needs and its reliance
on third-party providers or its requirements to keep computing resources in house.
Private Cloud
In a private cloud, as you might expect, one party uses the cloud environment—the infrastructure, network devices, connections, and servers. A private cloud doesn’t necessarily
mean that the infrastructure also resides physically within the business’s own data center on
its physical premises. It could certainly be that way (military organizations and very large
corporations often host their own private cloud, for example), but a private cloud can also
be hosted by a third-party provider as a contracted service. Regardless of where the environment is hosted, a private cloud is for the use of the business that’s paying for it—it’s not for
public or shared use. It can still host the same types of services described earlier.
08-ch08.indd 422
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-3: Cloud Deployment
423
A private cloud may cost the organization a bit more if it’s hosted within a data center
it owns and operates, but this cost is usually absorbed by the cost of operating the data
center itself. An organization can save a bit of money if a third-party provider operates
the data center for the organization, however. Another advantage of a private cloud, other
than exclusive use, is that the organization may be able to exert more control over data
security and availability levels.
NOTE One of the challenges to private clouds is the connection between
a private cloud service provider and on-premises systems. Companies like
AWS provide an interface called a transit gateway that gives any system
a simple way to connect to your cloud. In most cases the connection is
via a VPN.
Public Cloud
A public cloud is usually operated by a third-party provider that sells or rents “pieces” of
the cloud to different entities, such as small businesses or large corporations, to use as they
need. These services and the “size” of the piece of cloud an organization gets may be scalable, based on the customer’s needs. Customers usually don’t get direct connections to the
provider, as they might in a private cloud model; the connections are typically made over
the customers’ existing Internet connections. Several business models are used for these
types of clouds, including subscription models, pay-per-use, and so on. Unlike a private
cloud, the security and availability levels are pretty much standardized by the provider
and offered as part of the contract; organizations purchasing those services may not have
any control over those terms. Examples of public cloud service providers include offerings
from Amazon Web Services (AWS), Google Cloud Storage, and the Microsoft Cloud.
Community Cloud
A community cloud is made up of infrastructures from several different entities, which
may be CSPs, business partners, and so on. In this structure, common services are offered
to all participants in the community cloud, to one degree or another. An example of a
community cloud is one that is shared among universities or educational institutions.
Each institution provides a piece of infrastructure, and the cloud may include third-party
providers as well, to form a cloud shared by all.
Hybrid Cloud
A hybrid cloud is any combination of the cloud models described previously. You could
have public/private hybrids, private/community hybrids, and so on. A hybrid might be
used because all parties need common cloud services (common application or Web platforms, for instance, on linked or connected Web sites), while maintaining their own
private or community clouds for other purposes. Hybrid clouds could be constructed in
many different ways, using third-party providers, private or shared data centers, and so
on, as well as different types of connections (direct, Internet-only, and so on). Figure 8-15
sums up the relationships between the different cloud types.
08-ch08.indd 423
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
424
Community Cloud
Hybrid Cloud
Public Cloud
Community Cloud
Internal/On-Premises Private
Cloud
Figure 8-15
Private Cloud Hosted
by Third Party
The relationships between the different cloud types
EXAM TIP Over time, an organization can find itself in a situation where
it’s using services from multiple providers—IaaS here, PaaS there, XaaS
everywhere. This self-evolving mess only gets more complicated with
hybrid clouds that include third-party access to their services (or vice versa).
Services integration is a type of propriety solution offered by companies to
streamline, organize, and simplify (as much as possible) a wide-ranging array
of services into a single source.
There’s no set definition for services integration. Solutions are customized
to fit an organization’s specific components and vendor solutions. You might
find the term service integration and management (SIAM) used instead of
services integration as well.
Cloud Growing Pains
The explosive growth in cloud computing has led to some issues where a one-size-fits-all
solution doesn’t work efficiently for an organization, specifically in terms of latency and
scalability. Several solutions fine-tune cloud-based networks to address these issues.
08-ch08.indd 424
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-3: Cloud Deployment
425
Latency
A standard cloud computing system moves the processing of data from the local network
to the cloud servers. That simplifies the needs of the local network and optimizes the
processing—that’s the ideal. The downside of cloud-based processing is that it induces
latency. Data has to flow to the cloud, get processed, and then get pushed back to devices.
A lot of devices and systems handle this latency without problems. But an increasing
number of smart devices—phones, tablets, Internet of Things (IoT) devices, surveillance systems, and so forth—need low-latency processing of immediate data. Two related
options—fog computing and edge computing—address the latency issue.
In essence, the buzz-sounding solutions of fog computing and edge computing push
some of the processing in a cloud network back to the local network. Fog computing
devices do a lot of local processing before syncing to the cloud so that, for example, you
know quickly when someone’s ringing your smart doorbell. Edge computing adds local
processing and data storage, sometimes with dedicated processing stations. If this sounds
familiar, it’s because that’s the way networks worked before the cloud phenomenon! It’s
as if providers pushed everyone to cloud solutions and then had to dial it back to address
latency issues, and they could use cool new marketing terms.
Scalability
Scalability in cloud networks means giving organizations flexibility to grow on demand.
Two options help address this issue efficiently, microservices and serverless architecture.
Microservices/API More sophisticated Web applications are complex beasts,
requiring teams of programmers and potentially services all working together to make
these applications do what they do. To that end, there’s motivation to split up and
delegate the work needed to make a Web app work. That’s where microservices and APIs
come into play.
Consider a typical Web app that includes merchant functions for purchases and
inventory and a user logon function for special pages. Instead of making the Web app
monolithic (one big pile o’ code), we can separate the application into free-standing
microservices—programming sections—that support the application as a whole. One
microservice might handle user logins, another the inventory database, and so forth.
These microservices might be written in-house, provided by third parties, or even treated
like an XaaS.
Complementing microservices are application programming interfaces (APIs), the interfaces that enable different programs or different parts of a program to access another’s
code. APIs aren’t new, but in this context APIs mean the interfaces that different parties
use to access Web applications.
Employing microservices (and APIs to make connections) means developers can focus
on the parts of an application under demand, rather than try to make everything scale
up. If the database is getting slammed and needs updating, the programmers can focus
on the microservices that address the database needs and not have to worry about the
unaffected parts. This increases scalability efficiently.
Serverless Architecture Classically in the cloud there is some amount of work placed
on administrators to set up servers. In a typical cloud service—let’s consider IaaS for this
08-ch08.indd 425
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
426
example—the cloud service requires you to configure a server and then use that server
as, well, a server. Even with PaaS, you still need to configure a server and make sure it’s
running whatever essential service.
In a serverless architecture, the CSP offers services directly to end users. This usually
manifests as functions or software downloaded as needed for provider services such as
storage or messaging. Serverless solutions such as AWS Lambda merely require your endpoints to “point” toward a domain name for those services.
NOTE Serverless architecture isn’t truly serverless. It’s just that you aren’t
required to set up a server. Your CSP provides services directly to your
endpoints.
Module 8-4: Securing the Cloud
This module covers the following CompTIA Security+ objectives:
• 1.2 Given a scenario, analyze potential indicators to determine the type of
attack
• 1.6 Explain the security concerns associated with various types of
vulnerabilities
• 2.2 Summarize virtualization and cloud computing concepts
• 3.6 Given a scenario, apply cybersecurity solutions to the cloud
Replacing on-premises networks with cloud-based networks presents a security challenge. In the first place, many vulnerabilities and attacks don’t really change very much
between cloud and on-premises. On the other hand, cloud infrastructures bring up a
number of interesting security controls and capabilities that work differently than onpremises. Let’s look at some of these.
EXAM TIP Look for questions on the CompTIA Security+ exam that
compare cloud-based vs. on-premises attacks and cloud-based vs. on-premises
vulnerabilities. The physical component of on-premises vulnerabilities and
attacks doesn’t apply to cloud-based vulnerabilities and attacks. All of the
network-specific vulnerabilities and attacks to exploit those vulnerabilities
apply to cloud-based and on-premises networks.
Cloud Security Controls
Cloud security controls address the unique features of cloud computing to mitigate several
security issues. This section first explores zones as a cloud security control and various
security controls for storage, network, and compute cloud services. We’ll finish with a
nod to SDN/SDV and cloud native controls.
Zones
Zones are the bread and butter of AWS cloud security controls. Zones usually come in
pairs. Zones are real-time copies of each other, providing extremely high availability across
08-ch08.indd 426
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-4: Securing the Cloud
427
zones as well as making integration and auditing easier. There’s not much to add here from
a security standpoint.
NOTE Other cloud service providers use the concept of zones. Microsoft
Azure has regions that subdivide into zones, for example. Regardless of
the specific label used by CSPs, the idea is to provide high availability so
customer downtime or lag is reduced to as near zero as possible.
Storage
Nothing does mass storage like the cloud! From databases accessed millions of times per
second to long-term archival materials, cloud storage is wonderfully convenient. For
example, simply placing mass storage on the cloud instantly takes care of mundane items
such as backup because all of your data is stored in zones, providing automatic replication
and high availability.
Cloud storage services require permissions just like any resource. File servers need permissions. Mail servers need permissions. You get the idea. Cloud service providers—let’s
just say AWS, as Amazon invented this term—call their permissions resource policies. A
policy is an object in AWS that defines the permissions to an identity or resource. AWS
defines two types of resource policies: identity-based policies and resource-based policies.
Identity-based policies are assigned to users, groups, or roles. Resource-based policies are
attached to a resource.
Given the fact that the cloud is always a remote connection, encryption is essential.
Encryption is generally an easy thing to implement given that everything we might ever
want to do application-wise has a secure protocol. The challenge with encryption in
cloud solutions isn’t the actual encryption per se; it’s the storage and administration of
all the passwords, keys, certificates, RSA tokens, and other secret stuff needed to keep all
these encryptions working.
A secrets management solution takes all those secrets away from the apps that traditionally store them and locks them away in a separate database, giving administrators a
one-stop-shop location to manage the secrets without affecting the application that needs
them.
Network
Many small cloud customers tend to build a single-server system on the cloud, accessing
the system as needed to keep it running properly. As customer needs increase, it’s very
common to create multiple systems and connect them into virtual networks, all residing
on the cloud.
The most important concept about virtual networks is that they work exactly like an
on-premises network. IP assignment (static or DHCP), DNS, subnetting, firewalls, and
similar issues all apply to a virtual network—it’s simply a matter of figuring out how your
CSP offers the tools necessary to make these configurations.
AWS calls a virtual network a virtual private cloud (VPC). But what happens if you
want public-facing servers on your AWS cloud? No problem. Just make separate subnets
and make one of those subnets public! That’s right, with AWS you make a virtual private
cloud and then make part (or all) of the VPC public.
08-ch08.indd 427
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
428
EXAM TIP Expect a question on the CompTIA Security+ exam that asks you
to compare options or solutions for public and private subnets.
The actual steps of segmentation of a network vary among CSPs, but the process is
similar. First, define network IDs. Second, connect separate network IDs using virtual
routers, adding firewalls as needed.
API Inspection and Integration Odds are good that if your organization were to
develop a Web application, that application would use some form of API to connect
to other applications. APIs do so much of the heavy lifting today interconnecting
applications. These other applications might be as simple as tools to share some database
information; or they may connect two apps to enable single sign-on.
If you’re going to use an API with a Web application, consider two items. First, how
does the application perform API integration? In other words, how does the application
connect to another application’s API (or vice versa)? Second, how does the application
perform API inspection to ensure that only the correct data moves between the apps?
A cloud app provider creates one or more APIs to enable access to its products. Various cloud security providers such as Microsoft Cloud App Security work with that cloud
app provider to optimize interaction with the APIs, which includes API inspection for
account information, audit trails, app permissions, and so on. Ensuring secure access
between APIs enables functional use of Web applications.
Firewalls in the Cloud Cloud networks need all the same protections from external
attackers that any on-premises network needs. Where an on-premises firewall protects
physical networks, cloud firewalls protect cloud networks.
EXAM TIP With AWS cloud networks you can create (up to five) security
groups with each VPC that act as a virtual firewall for the instance. They
control inbound and outbound traffic and can each have different rules for
handling traffic.
There are several firewall considerations in a cloud environment. First, what does your
cloud network need for segmentation? For small operations, a Web application firewall in
front of a single instance may be all you need (Figure 8-16). Maybe in a larger situation
you would place an edge firewall in front of multiple servers. Larger still and you might
need multiple next-generation firewalls (NGFWs) segmenting many subnets at multiple
Open Systems Interconnection (OSI) layers.
Cloud service providers can offer firewalling at one or more OSI layers, depending
on the needs of the organization. They can make Layer 3 firewalls available for specific
purposes, for example, and Layer 4 for others, plus NGFW solutions for overall security.
A key factor for an organization needing firewalling isn’t capability, per se, but cost.
A CSP may offer many types of firewalls, but not for free! CSPs use a metered pricing system, charging by the gigabits/month. These prices are usually inexpensive relative
to the overall cost of your cloud . . . until they are not. An aggressive DDoS attack, for
08-ch08.indd 428
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-4: Securing the Cloud
429
Figure 8-16
Traditional firewall configuration in AWS
example, can increase your monthly firewall as a service (FWaaS) costs by a factor of tens
of thousands.
NOTE All cloud service providers offer some form of “How much am
I spending and why” reporting/alarms. Take advantage to avoid costly
surprises!
Compute
Securing compute components means focusing on immediate, active processing. That
means securing VPC endpoints, dynamic resource allocation, software-defined visibility,
instance awareness, and container security (plus security groups, discussed previously).
VPC Endpoint When CSPs offer XaaS, you need some method to enable your cloud
to connect to these services. In the AWS world, your VPC needs a connection to that
service. Instead of wasting potentially valuable IP addresses, virtual routers, and such,
AWS creates a private IP address to the service you choose—called a virtual private cloud
(VPC) endpoint—and your VPC just… connects to it.
Dynamic Resource Allocation It’s not hard for a CSP to adjust resources allocated to a
customer based on need. Some examples of resources are CPU and memory bandwidth,
storage capacity and speed, network connection, and number of instances of the server
(there are many more). The challenge is how to do this dynamically, to adjust the resource
allocation to the customer so that the utilization is as close to 100 percent as possible.
08-ch08.indd 429
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
430
Dynamic resource allocation is agreed upon between the CSP and the client as part
of their mutual service-level agreement (SLA). How this SLA manifests varies greatly. In
most cases, even the SLA is automatically adjusted by a client clicking some button
that changes the agreement. If you agree to allow your CSP to add more instances, for
example, then you’ll pay for those instances when they are brought online.
NOTE Dynamic resource allocation is a wonderful feature of the cloud—
just keep an eye on your bill!
Instance Awareness It’s very common for an organization to run many instances of
cloud services. For example, an organization might be running hundreds of instances
of Google Drive—corporate instances that are shared by users; individual instances for
personal use; and instances shared by groups within the organization. Firewalls, NGFWs,
SDV—these tools do not have a method to differentiate between instances, i.e., they
don’t have instance awareness. Sure, they can turn off access to Google Drive, but if only
one instance is being naughty, then we need other solutions that can locate the naughty
instances causing problems and shut them down without killing everything.
NOTE Netskope (https://netskope.com)—and other companies—offers
solution for protection and prevention among cloud instances that lack
instance awareness.
Container Security Containers are the way to go in the world of application
development due to their convenience, tiny footprint, and ease of use, but they come
with their own security issues. The best way to consider those issues is to think of any
container as three distinct components. First is the underlying operating system, second
is the container software, and last is the application running inside the container.
The underlying OS isn’t anything special in terms of security requirements other than
your awareness that the usual security applied to a host might affect the container itself.
Never patch an OS without first investigating anything that might affect the security of
the container software. Also monitor file permissions and user accounts that might provide unauthorized access to the container software.
Container applications like Docker and Kubernetes have their own access control lists
(ACLs) to the application as well as the images they store. Careful auditing and monitoring are required, especially in environments where many hands are working on the
same product. Take advantage of the container application’s role-based controls as well
as segmentation of the application into separate images as needed. Also make sure any
container software updates do not affect your images.
Last, consider the security of your images. It’s common to use signed images to verify
image integrity. Never add third-party files to your image without careful inspection.
08-ch08.indd 430
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Module 8-4: Securing the Cloud
431
Software-Defined Visibility
Monitoring a complex network can easily become messy. IDS/IPS, firewalls, and SIEM
setups aren’t nearly as static in a cloud as they are in a classic on-premises network. In
particular, software-defined networking (SDN) setups make it challenging to monitor
cloud networks using classical tools.
Enter software-defined visibility (SDV). By applying software (called APIs in this area)
to every (or at least most) devices on the network—including end nodes—any part of the
network is now visible to your defensive tools. Any device can detect and respond to an
attack. SDV all but removes potential blind spots on your network. Most SDV solutions
are proprietary and only seen on larger, more secure networks.
Cloud Native Controls vs. Third-Party Solutions
AWS provides a huge number of amazing controls built into the AWS space. These hundreds of controls, created by and offered by AWS, are known collectively as native controls
(Figure 8-17). AWS, like all other CSPs, however, gives third parties access to AWS VPCs
via APIs. This has created an entire industry of third parties that provide solutions for
thousands of niche situations.
Figure 8-17
08-ch08.indd 431
AWS native controls
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
432
Unique Cloud Security Solutions
The cloud introduced not only a whole new class of security controls but many security
solutions as well. Let’s look at three here:
• CASB
• SWG
• Application security
Cloud Access Security Broker
Cloud access security broker (CASB) refers to a service that manifests as a layer of software
between a cloud application and an enterprise or organization, designed to provide security. Most commonly, the major cloud organizations—like Google, Amazon, Microsoft,
and so on—have invested heavily in automated controls implemented through APIs. You
can rely on these companies for proper security.
A proxy-based CASB, in contrast, relies on a third party’s software in between the cloud
service provider and an organization or enterprise that uses those services. Proxy-based
services inject more security problems rather than reduce security risks. The proxy-based
services seem to have briefly appeared but flamed out. If you get asked about CASBs on
the exam, focus on the API-based models.
Next-Generation Secure Web Gateway
As quickly as cloud-based applications develop new solutions to address previously
unconsidered vulnerabilities, new issues come into focus, requiring yet another class of
security solutions. Arguably the newest solution is the next-generation secure web gateway
(SWG). An SWG stands between a Web application and all of the services that Web
application uses.
Application Security
Chapter 11 covers a lot about secure Web development, but the term application security is so cloud-centric that it warrants a mention here. Cloud applications need a lot of
security in development and during runtime. Tools that provide that form of security are
under the umbrella of application security.
Questions
1. What’s the minimum number of computers needed for a DDoS attack?
A. 1
B. 2
C. 10
D. 1000
08-ch08.indd 432
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Questions
433
2. What is a company that provides security monitoring for a fee called?
A. IaaS
B. MSP
C. MttF
D. Security broker
3. Virtual machines must have a __________ in which to run.
A. bare metal
B. container
C. database
D. hypervisor
4. Docker is a popular management system for what sort of product?
A. Containers
B. Security
C. Shoes
D. VMs
5. The accounting department built their own hypervisor and added four virtual
machines without letting anyone know. This is an example of what virtualization
issue?
A. Hypervisor
B. Unauthorized zone
C. VM escape
D. VM sprawl
6. John’s cloud service provider enables him to set up virtual machines. He can add
any operating system he wants. This is an example of which type of service?
A. IaaS
B. PaaS
C. SaaS
D. XaaS
7. Total Seminars deploys both a public cloud and a private cloud. What kind of
cloud solution do they have?
A. Community cloud
B. Hybrid cloud
C. Private cloud
D. Trusted cloud
08-ch08.indd 433
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 8
Chapter 8: Securing Public Servers
434
8. AWS divides the world into more than 20 __________.
A. cubits
B. regions
C. sectors
D. zones
9. A(n) __________ solution takes secrets away from apps that traditionally store
them and locks them away in a separate database.
A. BitLocker
B. Internet key exchange
C. password vault
D. secrets management
10. Bill’s company provides every employee with personalized storage space. His cloud
service provider gives him a tool called __________ that enables him to shut down
any individual instance if there’s a problem.
A. instance awareness
B. NGFW
C. SWG
D. VPC endpoint
Answers
1. B. A distributed denial-of-service attack needs two or more computers to carry
out its attack.
2. B. A managed service provider provides security monitoring for a fee.
3. D. VMs rely on a hypervisor to run.
4. A. Docker is a popular management system for containers.
5. D. Unauthorized creation of VMs in an organization is an example of VM sprawl.
6. A. An infrastructure as a service enables deployment of full systems running a
variety of operating systems.
7. B. A hybrid cloud combines different types of cloud solutions.
8. B. Amazon Web Services divides the world into 20+ regions to enhance efficiency.
9. D. A secrets management solution takes secrets away from apps that traditionally
store them.
10. A. Instance awareness tools enable quick and effective control over instances.
08-ch08.indd 434
25/03/21 2:17 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
CHAPTER
Securing Dedicated
Systems
9
Hey, Scott! Let’s combine embedded, specialized, and mobile systems
into the same chapter! What could go wrong?
—Mike Meyers
What makes embedded systems, specialized systems, and mobile systems sufficiently
similar to cover them in a single chapter? That’s a valid question, considering they run
on a wide array of operating systems—from Windows, Linux, and macOS to Android,
iOS, and customized single-platform OSes—and have a variety of uses, including singlepurpose devices (e.g., an Internet-connected refrigerator), specific-purpose devices
(e.g., a home automation hub), and multipurpose devices (e.g., a smartphone or tablet).
So what’s the connection?
Every one of these devices, which we dub dedicated systems, comes from the factory
as complete and unchangeable computing hardware. When you buy a fitness watch,
for example, you buy a sophisticated computing device, but one that you can’t upgrade
or change. When you buy a new Apple iPad with 64 GB of storage, 64 GB of storage
is all you’ll ever get with that machine. The CPU will never change. The RAM will
never change.
EXAM TIP Dedicated systems is a term we coined and not one you’ll see on
the CompTIA Security+ exam.
That unchanging hardware coupled with changeable firmware or software presents
unique challenges in security. These devices are part of your network, interconnected
with general-purpose computing devices (like a Windows PC or a Linux server), and
absolutely must be part of your overall security posture. Not securing them puts everything else in your system at risk.
435
09-ch09.indd 435
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
436
This chapter explores securing dedicated systems in four modules:
•
•
•
•
Embedded, Specialized, and Mobile Systems
Connecting to Dedicated Systems
Security Constraints for Dedicated Systems
Implementing Secure Mobile Solutions
Module 9-1: Embedded, Specialized,
and Mobile Systems
This module covers the following CompTIA Security+ objectives:
• 2.6 Explain the security implications of embedded and specialized systems
• 3.5 Given a scenario, implement secure mobile solutions
Embedded, specialized, and mobile systems power a huge portion of modern computing tasks, and they come in a variety seemingly as diverse as the fish in the sea. This section
touches on the dedicated systems you’ll encounter on the CompTIA Security+ exam:
•
•
•
•
•
Embedded systems
SCADA/ICS
Internet of Things
Specialized systems
Mobile systems
Embedded Systems
The definition of embedded system is a moving target depending on the author. For some
in the IT industry, the term “embedded system” refers to any computing component packaged as a discrete part of a larger package. A network interface chip soldered onto a motherboard, for example, could be considered an embedded system. It’s a processor. It has
discrete functions that enable the larger system to accomplish things. This broad definition
encompasses thousands of other examples, such as a point-of-sale system at a supermarket
checkout, which handles local tasks (taking credit card information) but depends on a
larger system (the store’s network infrastructure) to complete transactions. As these examples suggest, such a broad definition of embedded system is too unwieldy to be practical.
CompTIA uses the term embedded system more narrowly to describe discrete hardware
components that make up portions of systems. Specifically, the 601 objectives describe
embedded systems as those running a Raspberry Pi, a field-programmable gate array
processor, or an Arduino. Let’s look at all three examples.
09-ch09.indd 436
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-1: Embedded, Specialized, and Mobile Systems
437
Figure 9-1 Raspberry Pi SoC (Image: Future Publishing / Contributor, Getty Images)
Raspberry Pi
The Raspberry Pi powers an array of embedded devices and systems, most notably the
DNS Pi-hole and custom industrial control solutions. The Raspberry Pi exemplifies the
system on chip (SoC) design concept, where all the processing components reside on a
single circuit board—that includes CPU, RAM, system BIOS, Ethernet networking, and
Wi-Fi networking; plus connectivity points for peripherals such as a keyboard, mouse,
and monitor. Figure 9-1 shows a Raspberry Pi 3b.
NOTE A DNS Pi-hole uses a Raspberry Pi at the outer edge of a network,
with the DNS server running special software to block any extra links on Web
sites that display ads. Implementing a Pi-hole will transform your computing
experience without sacrificing network performance. Goodbye, ads! Check
out the Dave Rush Pi features on the TotalSeminarsChannel channel on
YouTube for the scoop.
The Raspberry Pi models can run various Linux distros, including Ubuntu, Kali Linux,
and the dedicated Raspberry OS. As such, you can use a Pi as a standalone multipurpose
09-ch09.indd 437
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
438
computer that replaces a Windows or macOS desktop (and apply all the standard security measures for desktop systems). But the Pi’s small size and very small price have made
it a favorite component in embedded systems, from manufacturing to industrial sensor
controls. Zaro’s Family Bakery in New York City, for example, employs a Pi along with
wireless sensors to monitor temperatures in the bakery’s freezers. This frees employees
from physically checking temps and thus adds efficiency to their operations.
From a security standpoint, Raspberry Pi systems act, smell, and taste like a typical
desktop system, just writ small. The typical Pi can plug into standard peripherals—
keyboard, mouse, monitor—and connect to wired and wireless networks. The Linux
operating systems that run Pis require the same security considerations of desktop Linux
computers, with secure passwords, accounts, and so on. Physical access to a Pi presents
the same danger as physical access to a PC or Mac.
Field-Programmable Gate Array
Embedded systems that require flexibility in processing capabilities use field-programmable gate array (FPGA) computers that, as the name suggests, you can reprogram to
optimize for various tasks. An FPGA does not have a fixed CPU, like the Raspberry Pi,
but rather has integrated circuits (ICs) that developers can redefine as needed. You’ll see
FPGAs used in vehicular systems, such as airplanes and automobiles, where switching
hardware to make changes would be prohibitively expensive. Reprogramming the hardware for updates or corrections makes more sense.
Embedded systems running on an FPGA tend to run a real-time operating system
(RTOS), such as Windows Embedded Compact (Figure 9-2). An RTOS is designed to
respond in real time to inputs. An RTOS is critical for anti-lock brakes, safety stops, and
so forth.
Figure 9-2
Windows
Embedded
Compact
09-ch09.indd 438
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-1: Embedded, Specialized, and Mobile Systems
439
Figure 9-3
Arduino board
with breadboard
From a security standpoint, keeping the firmware up to date to work through bugs
helps. Plus, limiting physical access to control ports or connections minimizes the potential for an attacker to damage your systems.
Arduino
Circuit boards and microcontrollers made by the Arduino company enable embedded
systems used in motion detection, robotics, thermostats, drones, diagnostic systems, and
more. Arduino products are open source and programmable using the programming
languages C and C++. Open source combined with low cost, approachable programming
and many connection options have made the Arduino boards the go-to devices at both
the professional and enthusiast level for embedded devices. Figure 9-3 shows a typical
Arduino system with an attached breadboard (for extending the capabilities of the board,
in this case, for music).
You might think that “open source” and “approachable” would make embedded systems with Arduino at the heart susceptible to hacking, but it’s usually the other way
around. A lot of people use Arduino systems to power their hacking of other systems!
Arduino systems have security concerns. Physical access, like with FPGA systems,
presents a clear danger. The limited memory on Arduino-based systems leaves them vulnerable to buffer overflow and heap attacks. The systems often connect automatically to
the nearest access point when the default connection fails, again providing an opportunity for mischief. As with all computing systems, assume Arduinos need careful thought
and preparation for security.
SCADA/ICS
Supervisory control and data acquisition (SCADA) systems are used in industrial applications, such as energy utilities (electric plants, nuclear power plants), production facilities (for logistics and control of manufacturing systems, for example), sewage treatment
centers, and other specialized applications. Heating, ventilation, and air conditioning
09-ch09.indd 439
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
440
(HVAC) controls also fall into this category and are often automated and connected to
the Internet or other networks to monitor and control environmental elements such as
temperature and humidity in a facility. You’ll often hear the term industrial control system
(ICS) associated with SCADA.
SCADA systems are more and more often being connected to the Internet, and often
in an unprotected state. They run TCP/IP protocols and use embedded versions of some
of the popular consumer operating systems, such as Windows or Linux. This makes
SCADA systems prime targets for hackers, who attack them to damage critical infrastructure, launch denial-of-service (DoS) attacks, and generally create mischief and outright harm. Since SCADA systems often connect to very critical systems, it’s not too hard
to imagine a hacker attacking and gaining control of these systems and seriously affecting
power, water, and other utilities and services on a massive scale. There have even been
reported instances of hackers compromising SCADA systems and launching attacks on
an organization’s traditional internal network infrastructure through them.
One such attack allegedly carried out by the United States and Israel—the Stuxnet
worm attack, code-named “Olympic Games”—blasted through Iranian industrial processes for refining nuclear material. No one on any side will confirm anything—hello
international espionage and sabotage—but the attack destroyed upwards of 1000 nuclear
centrifuges, putting a serious dent in Iran’s nuclear enrichment capabilities.
Methods of mitigating these types of attacks include the traditional ones, such as
encryption, authentication, and patch management. In the case of many of these systems, infrastructure controls, such as intrusion detection systems (IDSs) and firewall
devices, should also be implemented. One other method that should be examined is the
complete separation of these networks and their devices from public networks, such as
the Internet, a form of air gap. (See Chapter 10 for the scoop on air gaps.)
Internet of Things
The term Internet of Things (IoT) describes the many computing devices (other than PCs,
routers, and servers) that connect through the Internet, which is about as broad a definition as it gets. IoT often refers to smaller helper devices, such as lightbulbs you can turn
on or off remotely, but it also applies to heating and cooling systems (facility automation
tools), smart devices like a refrigerator that can tell you how much milk is left, diapers that
inform you when junior needs a change, and so on.
You’ll find a lot of devices marketed as part of the Internet of Things, such as wearables
like the Fitbit fitness watch (Figure 9-4). Wearables have sensors for things like heart rate
and number of steps taken; better ones have location tracking systems. The highest-end
wearable devices, like the Apple iWatch, function as an alternative or extension of a
smartphone, enabling text messaging, music, and more, all connected through the Internet via the cellular networks.
Some devices that might seem an odd fit fall into the IoT category, such as multifunction devices (MFDs) that combine printers, scanners, and copiers into one machine and
then add Internet capabilities. You can print to MFDs from a variety of devices, including smartphones like the Apple iPhone via AirPrint, plus scan and send PDF files directly
to Internet or e-mail destinations.
09-ch09.indd 440
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-1: Embedded, Specialized, and Mobile Systems
441
Figure 9-4 Fitbit IoT watch (Image: Smith Collection/Gado / Contributor, Getty Images)
EXAM TIP The CompTIA Security+ 601 exam objectives refer to
multifunction devices as multifunction printers (MFPs), so be prepared for
either term on the exam.
IoT device manufacturers use a wide variety of different operating systems for their
devices. The big players have their own operating systems, such as Android Things
(Google), Windows IoT (Microsoft), and Amazon FreeRTOS (Amazon). Plus there are
at least a dozen open-source operating systems, many based on a Linux core, such as
Snappy (Ubuntu), or on the C programming language, such as TinyOS.
As you might imagine, with such incredible diversity of hardware and operating systems, combined with the dizzyingly efficient wireless networking capabilities, IoT security is a nightmare.
Additionally, what IoT devices have in common from a security standpoint are weak
default settings. Most manufacturers of IoT devices in the consumer sphere, for example,
err on the side of ease of use for the consumer rather than rigorous security for the power
user or IT security specialist. Fine-tuning options such as connectivity and notification
settings can go a long way toward adding worthwhile security to IoT devices.
Specialized Systems
Both CompTIA and many writers throw up their hands at the rest of the dedicated systems, calling them simply specialized systems. A specialized system offers all the hallmarks
of other dedicated systems, such as relying on an SoC or using an RTOS. The specialized
systems that you’ll run into most commonly fall into several categories:
•
•
•
•
•
09-ch09.indd 441
Medical systems
In-vehicle computing systems
Smart meters
Surveillance systems
Voice over IP
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
442
Medical Systems
The push to smaller and increasingly powerful computing devices that can connect to
the Internet has revolutionized some medical systems. People with irregular heartbeats
have benefitted from pulses from an electronic device called a pacemaker for decades.
The pacemaker simply stabilizes the heartbeat, granting the wearer generally a much
longer lifespan. For 50+ years, pacemakers were (relatively) simple devices, implanted in
patients and replaced periodically as their batteries depleted. Spin to today.
IoT pacemakers not only provide stimulus to regularize the heartbeat but also transmit over the Internet so doctors and technicians can monitor the patient’s heart and
the current level of battery power. IoT pacemakers eliminate the guesswork of when to
replace or recharge a traditional pacemaker, yet another example of a breakthrough in
medicine made possible through IT. See Figure 9-5.
Other Internet of Medical Things (IoMT) devices—both wearable and implanted—
monitor all sorts of things, from general vital signs to specific things like glucose levels
in diabetic patients. The IoMT field continues to grow, combining medical systems with
phenomenal technology advances.
The inherent security risks involved with IoMT devices cannot be dismissed. Any
device that connects to a network has vulnerabilities and the potential for hacking. A
hacked medical lifesaving device could have deadly consequences. So far in the field
attacks have been theoretical. There’s hope for humanity?
NOTE As soon as you venture into the medical field, take into consideration
the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
discussed way back in Chapter 1. HIPAA stipulates rules governing personal/
private medical information that security professionals absolutely need to
account for in the planning and deployment of systems.
Figure 9-5
IoT pacemaker
shown in X-ray
(Image: Trout55,
Getty Images)
09-ch09.indd 442
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-1: Embedded, Specialized, and Mobile Systems
443
Figure 9-6
Connected
automotive
computing
system (Image:
mbbirdy, Getty
Images)
In-Vehicle Computing Systems
Automobile manufacturers have incorporated computing devices into their products for
decades. Adding connectivity to the global network was but a matter of getting systems
and electronics in place. The consumer market demands automobiles with built-in systems that provide navigational functions, entertainment functions, and even access to the
Internet (Figure 9-6). Automobile manufacturers want to cater to consumers by including all of these great features, as well as the ability to access vehicle health information
via network connections. These network connections may include Bluetooth, Wi-Fi, or
even, in some cases, cellular connectivity.
NOTE Although not included in the CompTIA Security+ exam, not
surprisingly vehicle-to-vehicle (V2V) communications have standards, notably
the IEEE 1609 Wireless Access in Vehicular Environments (WAVE) protocol stack.
Also related are vehicular ad hoc networks (VANETs), connectivity options
for on-the-fly interconnectivity among automobiles. These technologies,
protocols, and standards have been around for years, but the push to selfdriving cars seems to furthering the cause.
Again, V2V and VANET are not on the CompTIA Security+ 601 exam,
but where there are interoperable wireless computer systems, you’ll find
vulnerabilities that require careful consideration by IT security professionals.
So if computers are now being built into automobiles or added in as aftermarket
devices, what are the security ramifications? And how do you secure in-vehicle computer
systems? Will it become necessary to install a firewall in your car?
And it’s not just automobiles that have computing systems. Aircraft of all sorts, both
manned and unmanned, have increasingly sophisticated computing systems, many
connected to extended networks and the Internet. Your next unmanned aerial vehicle
(UAV)—that’s a drone, for all you normal folks—guaranteed will have multiple embedded camera systems, high-end wireless networking capabilities, and an SoC to run them
all (Figure 9-7).
09-ch09.indd 443
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
444
Figure 9-7
DJI drone with
one SoC to rule
them all! (Image:
ROBYN BECK
/ Contributor,
Getty Images)
From a security perspective, in-vehicle computing systems have some of the same
common vulnerabilities that other systems have, which may include network security
issues, such as the vulnerabilities inherent to Bluetooth, Wi-Fi, and cellular technologies. There are also issues involving firmware and patch updates to the systems. Many
of these systems have USB or SD card ports, for example, to upload firmware updates
or play media content on the devices. Perhaps someday someone will develop a virus or
other type of malware that could be injected into these types of systems via a removable
media device.
Other security issues may be only the speculative fantasies of geeks, such as a hacker
taking over your car and driving it while you’re going down the road or conducting a
DoS attack on your engine or transmission, resulting in the car coming to a complete
halt on the Autobahn. However remote these possibilities may be, they may not be
too far down the road (pun intended). In short, vehicular computing systems are a
new frontier, for both security professionals and hackers. Although traditional security
methods and controls will probably work to a large degree, other methods will have to
be developed to ensure that these types of static hosts are well protected from malicious
users and attacks.
Smart Meters
Smart meters rely on cellular and wireless networks to communicate to consumers and
utility companies real-time information about power usage, usually electricity, but also
natural gas or water. A smart meter can alert when something spikes unexpectedly—such
as water usage, indicating a possible water main break that starts wastefully dumping
liters of water—and help consumers and providers optimize power usage. Figure 9-8
shows a smart meter that records and reports on the electricity usage at my house.
Surveillance Systems
Consumer use of surveillance systems has exploded with the advent of phenomenal camera technologies, SoC capabilities, and cellular and Wi-Fi connectivity. Grainy footage of people trying to penetrate government facilities back in the day has evolved into
09-ch09.indd 444
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-1: Embedded, Specialized, and Mobile Systems
445
Figure 9-8
Smart meter
gloriously high-definition footage and audio of people stealing packages from your front
porch. The wireless Ring doorbell at my front door (Figure 9-9), for example, enables me
to interact in real time with people at the door, regardless of whether I’m in the house or
across the planet (Figure 9-10).
The security implications and considerations with modern IoT surveillance systems
run from paranoia to downright scary. Ring devices, for example, interface with Amazon
Figure 9-9 Ring doorbell (Image: Chip Somodevilla / Staff, Getty Images)
09-ch09.indd 445
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
446
Figure 9-10
Ring app
Alexa home infotainment devices to send your security footage to “the cloud.” Nothing
stops “the cloud” from sharing your footage with local law enforcement or companies
that can monetize the information in some other way. Other device manufacturers have
been accused of sending personal information gathered from their devices secretly to
other nation states.
EXAM TIP Surveillance systems are a good example of point-to-multipoint
communication, where the base station interacts with multiple wireless
nodes (the cameras). The nodes don’t communicate with each other, but
rather all report back to the base.
Voice over IP
Office telephone systems used to have their own dedicated wiring and devices, all functioning on the antique POTS signaling standards. Telephone connections centered on a
PBX block and used Cat 1 cabling with RJ-11 jacks (Figure 9-11).
It became increasingly obvious that installing dual cable runs (Cat 1 and Cat 5) in
new buildings late last century was a waste because Cat 5 could do the work of either
cabling standard. Eventually developers came up with Voice over IP (VoIP), a way to
do telephony over TCP/IP networks, with no need to use ancient technology. Many
(most?) enterprises today have ditched the old PBX telephone systems for modern
VoIP systems.
Figure 9-11
RJ-45 and RJ-11
jacks (Image:
pablohart, Getty
Images)
09-ch09.indd 446
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-1: Embedded, Specialized, and Mobile Systems
447
This is all stuff you should remember from CompTIA Network+ or even CompTIA A+
training, so I doubt we’re telling you something new here. The real question for CompTIA
Security+ is what security implications VoIP systems pose.
You need to secure VoIP communications just like you would any other IP network.
Typical VoIP attacks include denial of service, spoofing telephone numbers, and just
harassment.
Mobile Systems
The term mobile systems refers to all of the general computing devices not tethered to a
cable, such as laptop computers (running Windows, macOS, Linux, or Chrome), tablets
(running iOS or Android), and smartphones (also iOS or Android). Figure 9-12 shows a
Microsoft Surface portable computer running Windows 10.
Mobile systems, as general-purpose devices, function similarly to other Internet of
Computing (IoC) devices (workstations, servers, routers) and have similar security issues
and solutions. Keep the OS and apps updated. Keep the firmware updated to ward off
attacks. Manage the devices with firewalls and other standard security options.
Mobile systems differ from the wired IoC devices in connectivity, on the other hand,
which we’ll look at next, and in mobile-specific security issues (in Module 9-4). We’ll also
explore problematic areas when introducing mobile devices to the enterprise.
Figure 9-12
Microsoft Surface
(and yes, I have a
ping pong table
in my dining
room . . . Don’t
judge!)
09-ch09.indd 447
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
448
Module 9-2: Connecting to Dedicated Systems
This module covers the following CompTIA Security+ objectives:
• 2.6 Explain the security implications of embedded and specialized systems
• 3.5 Given a scenario, implement secure mobile solutions
Dedicated systems rely on many of the same technologies to enable communication
among devices. This module first explores the security implications in common technologies shared among the devices and then looks at low-power technologies exclusive
to IoT devices.
NOTE This module assumes you have CompTIA Network+ knowledge
of how these various technologies work. If you need a refresher, check out
the excellent CompTIA Network+ Certification All-in-One Exam Guide by
yours truly.
To put all of the communication technologies in context, this module offers several
examples based on the following hypothetical scenario. The Bayland Widgets Corporation (BWC) main campus has several buildings connected via fiber-optic cabling and
Ethernet. (The details of those connections are unimportant for this discussion; we’re
just setting the stage.) One of the buildings houses the factory that builds BWC’s worldfamous widgets. A SCADA system—including processors, control modules, sensors,
actuator arms, robotics, etc.—controls the production machines. The main office building has employees, naturally, and a diverse collection of IoC and IoT devices. These
devices include standard workstations and servers, plus many portable computers, tablets,
smartphones, wearables, and so on. Plus, the entire campus has a surveillance system
comprising cameras and control units, all of which feed back to the security center.
The menagerie of devices introduces a plethora of device communication types, all of
which have security implications. Let’s look first at communication technologies prevalent in most of the devices, then turn to specific IoT communication technologies.
Common Communication Technologies
Many devices in the BWC campus connect with common technologies. These include
cellular networks, 802.11 Wi-Fi, Bluetooth, NFC, and infrared.
Cellular
Current cellular networks rely on either 4G or 5G technologies connecting cells (geographical areas) via various radio frequencies. Cellular radio towers with base transceiver
stations enable the networks to cover enormous areas.
4G networks provide excellent coverage using the 450- to 3800-MHz bands, enabling
download speeds at up to 300 Mbps and upload speeds of 75 Mbps. 5G networks operate
09-ch09.indd 448
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-2: Connecting to Dedicated Systems
449
at three distinct bands: Low-band, Mid-band, and High-band. The higher the band, the
faster the connection speed, but the shorter the range. 5G devices connect automatically
at the fastest speed available at range.
Most cellular devices also use a subscriber identity module (SIM) card (Figure 9-13)
that stores identity (hence the name) and enables authentication between the device and
mobile carriers. All sorts of devices use SIM cards, from smartphones to cameras to wearable IoT devices.
NOTE SIM cards can be hacked, especially in older devices. The CompTIA
601 objectives don’t mention SimJacker, but the attack exploits a common
software installed on SIM cards from virtually every manufacturer, called S@T
Browser. The fix? Upgrade to a device that uses a current SIM card without
that vulnerability.
The BWC campus has several cellular towers nearby, providing Internet connectivity
(and thus interconnectivity) with a ton of employee devices. Every employee has a smartphone, for example, and many have tablets with cellular connection capabilities.
Cellular voice and data services these days offer very robust security. Direct sniffing of
these networks is difficult at best (assuming you’re using a late-generation 4G/LTE or 5G
phone). Carriers will quickly detect and act on any attempts to emulate a cell tower, for
example, which could lead to serious legal ramifications for the bad actor.
An attacker has the best potential for success attacking cellular by avoiding cellular
altogether. The switch point for devices between cellular and Wi-Fi provides an excellent
attack surface because Wi-Fi offers much weaker security than cellular.
Finally, privacy issues should concern users and IT security folks when working with
cellular. Turning off geolocation services—where the cellular provider can track your
whereabouts at all times—can enhance privacy, although you’ll lose useful functionality.
Getting directions from Siri or from Google Maps goes right out the window, because
geolocation services access the Global Positioning System (GPS) satellite network to show
where you are in relation to other places.
Figure 9-13
Typical SIM
card (Image:
Thomas Trutschel
/ Contributor,
Getty Images)
09-ch09.indd 449
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
450
Wi-Fi/Bluetooth
Chapter 7 covered Wi-Fi in detail and Bluetooth a bit more lightly. Every wireless security aspect covered previously applies to mobile and IoT devices, but they add a few
more problems. One of the most challenging issues in Wi-Fi comes from stored profiles.
Mobile devices can grab standardized hotspot SSIDs pushed out by ISPs such as “xfinitywifi” or “attwifi,” and some will in turn become mobile hotspots that seem very similar
to the initial hotspot (Figure 9-14).
You can enhance or upgrade some dedicated devices by adding the latest generation Wi-Fi or Bluetooth card via a universal serial bus (USB) port. Conversely, some
users might try to skirt air gap rules (where their devices should not connect with other
devices) by plugging in a USB cellular device. These shouldn’t be common variances, but
they might show up on a Security+ exam in your near future.
EXAM TIP Bluetooth is an example of point-to-point communication, from
one device to another device.
BWC has a mesh Wi-Fi network throughout the campus, providing both interior and
exterior space connectivity for mobile devices. For security, the IT department implements
WPA3 encryption throughout, though also providing access using WPA2 for older devices
during the transition year. The mixed encryption system isn’t ideal, but it’s good enough.
Figure 9-14
Author’s Xfinity
hotspot
09-ch09.indd 450
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-2: Connecting to Dedicated Systems
451
Near-Field Communication
Many mobile devices use near-field communication (NFC), just like you read about
in Module 7-2, for quick payments and such. NFC uses radio-frequency identification
(RFID) technologies to enable communication with unpowered electronic tags on an
unlicensed ISM radio-frequency band (13.56 MHz). All the security issues for NFC
apply to its use in mobile devices.
While NFC contains basic encryption, the technology relies on the short distances
(within four inches) and quick communication to provide security. Modern payment
services that use NFC, such as Apple Pay, add their own security protocols as well to
ensure safety of personal information.
NOTE Android embraces NFC heavily. Apple typically uses NFC only for the
Apple Pay app, although Apple is slowly opening iOS to more NFC options.
Infrared
One of your authors loves his Android phones if for no other reason than only Androids
(and not all of them) come with an infrared (IR) transmitter—enabling connectivity via
light waves—known generically as an infrared blaster. IR blasters can emulate any IR
remote control, turning any Android into a universal remote. Since these devices only
transmit simple remote-control commands, there is no risk to your mobile device. The
risk is that any IR blaster can quickly take complete control of any device designed to
receive those commands, making the Android the bad actor. The only real defense is to
block the IR receivers.
NOTE The other author eschews Android, fully embracing the Apple iOS
ecosystem. He’s clearly the more cultured of the two, even if it means not
being able to hijack the hotel lobby television.
IoT-Specific Communication Technologies
IoT developers use communication technologies created specifically for low-powered
IoT devices. There are quite a few proprietary and open-source technologies in use. Four
common ones are Narrowband IoT, Bluetooth Low Energy, Zigbee, and ANT.
Narrowband IoT
Developers use the Narrowband Internet of Things (NB-IoT) technology for high connection density IoT deployment, specifically with an eye to maximizing battery life and
minimizing costs. Narrowband means NB-IoT uses only a single radio frequency—200 KHz.
The goal with NB-IoT is to provide good coverage and devices that don’t need recharging
for years.
09-ch09.indd 451
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
452
EXAM TIP Part of the underlying physical layer of NB-IoT can rely on devices
that use baseband radio processors that manage radio functions from
multiple devices. Sounds like a circular definition, but you might see the
term on the exam.
Bluetooth Low Energy
The inexpensive devices that employ the Bluetooth Low Energy (BLE) networking technology consume very little electricity, yet have a range similar to their big brother Bluetooth. BLE devices are not compatible with Bluetooth, but the technology is part of the
Bluetooth 4.0 and Bluetooth 5 standards. Like Bluetooth, BLE creates a personal area
network (PAN) for devices interconnecting. Every major mobile and desktop OS supports BLE. BLE devices range from security to home entertainment to medical.
Zigbee
Devices and systems that rely on the Zigbee communication protocols offer ad hoc personal area networks that use very low-power radios. This low-bandwidth solution works
perfectly for things like medical device data collection and home automation. Zigbee is
an open standard, so adoption by manufacturers is increasing.
BWC has implemented centrally monitored Zigbee systems in its new buildings to
control lighting, window blinds, access control, and climate control. The cost savings
provided by the smart IoT systems compared to the older dumb systems in the original
buildings will most likely lead to systems upgrades in the near future. Old might be
quaint or picturesque, but energy efficiency helps everyone.
ANT
ANT is a low-speed, low-power networking technology. Wi-Fi and Bluetooth are powerful wireless tools, but both of these technologies require rather chatty, relatively powerhungry devices. Bluetooth isn’t nearly as power hungry or as fast as Wi-Fi, but when you
have very small devices such as heart rate monitors, even Bluetooth uses too much power.
Garmin introduced the proprietary ANT protocol around 2007 for low-power sensors that don’t send a lot of data and that often go for extended periods of time without transferring data (like your author’s heart rate monitor that’s used at most once a
week). The latest version of ANT is called ANT+. ANT/ANT+ is a superb protocol that’s
incredibly low powered and has enough bandwidth for many devices. ANT is encrypted
with AES, so hacking isn’t an issue (yet). The only downside to ANT/ANT+ is that Apple
devices lack an ANT radio. In that case you’d need an ANT/ANT+ USB dongle to talk
to an ANT device (Figure 9-15).
EXAM TIP You won’t be tested on ANT or ANT+ on the CompTIA Security+
exam. We’ve included the technology here as useful real-world information.
09-ch09.indd 452
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-3: Security Constraints for Dedicated Systems
453
Figure 9-15
ANT USB dongle
ANT+
Module 9-3: Security Constraints
for Dedicated Systems
This module covers the following CompTIA Security+ objectives:
• 2.6 Explain the security implications of embedded and specialized systems
• 2.8 Summarize the basics of cryptographic concepts
IT security specialists need a solid understanding of the security constraints and concerns for embedded systems, IoT systems, and specialized systems to help clients secure
their networks. This section explores hardware, programming, and connectivity.
Hardware
Embedded and specialized systems come in an astonishing variety, but they have one feature in common: the static nature of their hardware. When you buy a device built around
an SoC, for example, you can’t change or upgrade the core computing capabilities of the
device. (That’s the compute portion of devices, in industry jargon.) You can certainly add
all kinds of additional features to a Raspberry Pi, but the core CPU, RAM, and connection options don’t change.
That static nature also applies to the security built into the device by the manufacturer, especially when dealing with IoT devices. Competition in the market drives manufacturers to reduce costs or provide low-cost devices for consumers. This often means
serious resource constraints to favor price over security. Further, manufacturers release
devices into the market with the assumption that they’re “place and forget” devices for
consumers; in other words, once set up, consumers will assume they’re done configuring
or messing with the devices. This leads to a lot of problems, especially when dealing with
the flip side of hardware, software.
Programming
Dedicated systems—especially IoT—have glaring security weaknesses because of the
nature of the systems. Consumers have deployed billions of IoT devices; manufacturers
have chosen low cost and ease of use over security. Many IoT devices have very specialized operating systems based in read-only memory (ROM) of some sort that requires
09-ch09.indd 453
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
454
user interaction to upgrade or patch. Other dedicated devices rely on light Linux distros
that may not have all the security locked down. I’m not exaggerating the problem here.
A group of undergraduate students at Rutgers University in the United States developed the Mirai botnet, a simple and ingenious software program that did a blanket scan
for open Telnet ports on IoT devices over a wide geographic area. Mirai targeted the IoT
devices and automatically tried 61 user name and password combinations to build an
enormous botnet army. And then the Mirai developers attacked. In September 2016,
Mirai was successfully used against a French hosting company that provided tools to stop
distributed denial-of-service (DDoS) attacks on Minecraft servers. You read that correctly. “Anna-Senpai,” the leader of the Mirai developers, was a serious Minecraft player.
And he led a DDoS attack against a company specializing in anti-DDoS protection.
NOTE Anna-Senpai’s real name is Paras Jha. His cohorts were Josiah White
and Dalton Norman. All of them were just supersmart college students
trying out a new technology. They served a lot of hours of community
service after confessing to the FBI and, presumably, are deep in the white hat
security world now.
Unfortunately for the world, after the first successful Mirai botnet attack, the developers released the Mirai source code online. The next serious attack happened a month later
against Dyn, Inc., which was a major provider of DNS services in the United States (subsequently acquired by Oracle). This attack caused some major players on the Internet to
go dark for a few hours, including Twitter, Reddit, and Spotify. And the Mirai source
code is still out there, getting modified and refined. The risk is real.
Updating the programming that secures dedicated systems offers the best route to
security. Let’s look at obstacles to updating and then paths to updating.
Inability to Patch
Dedicated systems often don’t lend themselves to automatic updates. This constraint
could be caused by several factors:
• Some of these dedicated systems are not always connected to the Internet—a
network constraint. In the case of SCADA systems or medical devices, for example,
there may be no way to connect them to the Internet without incurring a
security risk.
• The vendor may not have included an automated update process with the
device. Some devices may require the download of a patch, an image, or a piece
of firmware that has to be manually installed on the device using a very specific
process, often resulting in rebooting the device into a special maintenance mode.
• The data sensitivity of the systems in question might be so high that the
organization can’t perform automatic updates or connect them to the Internet for
classification reasons. For example, some US government systems, particularly
those of a classified nature, cannot be connected to the Internet.
09-ch09.indd 454
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-3: Security Constraints for Dedicated Systems
455
For these reasons, manual updates may be required for some static dedicated systems.
If you have the ability to automate device updates, then obviously you should use that
method as much as possible, since it ensures that updates are applied in the most efficient
way possible. On the other hand, manual updates can give you the opportunity to test
patches and other software updates before applying them to a production system. Often,
you can download updates manually, test them in a test environment that mirrors your
production systems, and then apply them to the production systems only after you are
sure that they will cause no ill effects. You should also record manual updates, so that you
can trace any issues that arise from them back to a particular patch or update.
Firmware Version Control
Many devices running dedicated systems get firmware updates. Remember that firmware
is typically applied as updates to programming in the chips on the hardware portion of
the system, rather than as patches to the operating system or application software. Firmware updates can fix issues with both the operating system and hardware on a device,
as well as provide for security patches. Firmware updates can also add new features to a
device. For personal devices, firmware version control may not be a big issue; often if the
user experiences any issues with the device after the firmware has been updated, the user
can reverse the update process and regress to an earlier version rather easily. In an enterprise environment, however, it’s extremely important to maintain version control on
firmware updates, because a firmware update may cause issues with production software
or devices that the organization needs to fulfill its business purposes.
As I mentioned previously when discussing manual updates, you should first test firmware updates in an appropriate environment, and then apply them to production devices
only after you have confirmed that they cause no ill effects. You also should record firmware versions in a central database. Read the documentation accompanying the firmware
updates to learn about any known issues with other software or hardware used by the
organization.
Connectivity
Dedicated systems for the most part connect to other computing devices. Systems running multipurpose operating systems like Linux and hooked up with Ethernet or 802.11
Wi-Fi generally use the standard protocols used for connectivity with IoC devices. Moving over to IoT device connectivity, on the other hand, brings up a lot of security issues
in communication and cryptography.
Low-powered IoT devices rely on low-power protocols, such as Zigbee, Bluetooth Low
Energy (BLE), and IPv6 over Low-Power Wireless Personal Area Networks (6LoWPAN), that enable connectivity over a short range (compared to 802.11 Wi-Fi). (You
read about Zigbee and BLE in Module 9-2.) Low-powered IoT devices rely on lightweight cryptographic algorithms that don’t offer as much security as heavier ones—because
they need to function using much lower computing power. Worse, because of their static
nature, the IoT devices cannot upgrade to more secure protocols in the future. And the
previously mentioned “place and forget” nature of IoT means consumers won’t even
think about upgrading with more secure components down the road.
09-ch09.indd 455
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
456
Most IoT devices rely on simple password-based authentication methods, though the
process and security involved vary tremendously. There is no universal authentication
protocol for IoT, but rather a multitude of frameworks, all constrained by the relatively
limited processing power of IoT devices. Some ecosystems from the big players, like
Amazon and Google, use the same authentication as their desktop applications, but
smaller players that create light bulbs, refrigerators, and so on? Their devices rely on
simple passwords.
Compounding the security issues with IoT devices is the implied trust among devices
within a network space. Implied trust traditionally refers to all the networked computers
inside an enterprise or single building. You trust that employees won’t hack each other or
do malicious things. You protect against outside threats, but not inside. (This is rapidly
changing, as we’ll discuss in a moment.)
In the context of consumer IoT devices, implied trust refers to the trust consumers
have in device vendors. Consider the scenario of a consumer purchasing a series of home
automation devices to control lighting, heating and cooling, security, and so on. Assuming that the consumer purchases from a single vendor, such as Google or Amazon, the
consumer implicitly trusts the vendor to provide security in two areas. First, inside the
home, the consumer implicitly trusts that the vendor has made its devices interoperable
and secure. Second, beyond the home, the consumer implicitly trusts that the vendor has
a secure cloud to support all the cloud features of its devices.
In practice, this trust model breaks down swiftly because consumers mix and match
IoT devices from different vendors all the time. These heterogenous vendor devices often
don’t communicate well together straight out of the box. What is the typical consumer’s
solution? Lower the security settings that stop the devices from talking amongst themselves. This, as we say in the business, is a bad thing. And at the consumer level, all the
security issues outlined previously remain the unfortunate current state of affairs.
At the enterprise level, in contrast, a lot of companies have adopted (or are in the
process of adopting) the National Institute for Standards and Technologies (NIST) zero
trust architecture (ZTA) guidelines that recommend organizations require proper authentication and authorization in all interactions with assets. In other words, ZTA throws out
the implicit trust model and insists on secure connections within as well as without the
enterprise. In practice it means that Joe’s iPad should not connect to any network shares
without proper authentication, even though Joe has been a loyal employee for 22 years.
NOTE See NIST Special Publication 800-207, Zero Trust Architecture, for more
on ZTA.
Module 9-4: Implementing Secure Mobile Solutions
This module covers the following CompTIA Security+ objectives:
• 3.5 Given a scenario, implement secure mobile solutions
• 3.7 Given a scenario, implement identity and account management controls
09-ch09.indd 456
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-4: Implementing Secure Mobile Solutions
457
When so-called “smart” devices entered the consumer market, they were all the rage
because, beyond traditional voice communications, they enabled users to communicate
with friends, family, and associates nearly simultaneously in several new ways, by using
social media sites, sharing photos and videos, using text and chat messages, and so on.
They also became the ubiquitous computing platform, replacing traditional desktops
and laptops to a large degree, enabling users to play games, manage their finances, dictate short documents, and perform other tasks. The problem was, however, that users
expected to see the same cool, wide-ranging functions on their work computers as well,
but the business world hadn’t caught up with the mobile device app explosion. As a
result, many users started bringing their devices to work, most of the time without management approval, and doing company work on them. Figure 9-16 shows examples of
some of the personal mobile devices that wander into the office.
That’s all changed now, of course, as businesses rapidly adopted mobile devices into
their infrastructures. Businesses issue smartphones and tablets to employees, provide
for their communications links and Internet services, and allow employees to use these
devices to perform work functions—and, in some cases, even do some of their personal
stuff on them.
Unfortunately, any new technology or change in the business infrastructure introduces new security issues. Sometimes organizations are in such a hurry to implement
new technology that they overlook security issues, and their main focus is on how much
stuff the technology or device can do. In other words, the focus is on the functionality of
the device or technology rather than on security. With the infiltration of mobile devices
into the business world, however, developers and engineers, business managers, and even
users to a certain degree have worked to make use of mobile devices more secure.
Figure 9-16 Personal mobile devices that tend to show up at work (photo courtesy of Sarah
McNeill Photography, used with permission)
09-ch09.indd 457
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
458
The next few sections explore some of the security features that mobile devices offer
and how to integrate them into the corporate infrastructure and networks. We’ll do this
in six sections:
•
•
•
•
•
•
Mobile device management
Deployment models
Inventory control and asset tracking
Application management and security
Encryption and authentication
Enforcement and monitoring for device security
Mobile Device Management
Mobile device management (MDM) is a process in the business infrastructure in which the
company can bring mobile devices under the umbrella of the company’s existing enduser device management for traditional desktops and laptops. MDM enables a company
to manage all the devices that connect to the company’s network centrally—not just
the devices tied to a desk that don’t exit the building in someone’s pocket. Many considerations go into MDM, including the wide variety of vendors, platforms, operating
systems, applications, features, and even telecom providers for these devices. Unless the
business standardizes on one vendor or platform, it may find that managing all of these
different devices is challenging.
Essentially, through MDM, a business can manage a mobile device using the same
technologies and methods used for traditional desktops, and with the same level of control. Figure 9-17 shows an example of a basic MDM software user interface.
Figure 9-17 Basic MDM software
09-ch09.indd 458
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-4: Implementing Secure Mobile Solutions
459
Subsets or related technologies to MDM include MicroSD hardware security modules, unified endpoint management, and Security Enhanced Linux for Android. Let’s
explore these technologies.
MicroSD Hardware Security Module
The MicroSD hardware security module (HSM) works specifically with Android-based
smartphones and tablets to provide robust encryption and security via a microSD smart
card. The smart card includes public key encryption, public key authentication, and
crazy levels of encryption, including 256-bit AES, 521-bit ECC, and 4096-bit RSA. Add
a MicroSD HSM card to devices in your enterprise to enhance security.
NOTE We covered HSM in general way back in Module 5-4. Check out that
section to refresh your memory if necessary.
Unified Endpoint Management
Unified Endpoint Management (UEM) tools take MDM to the next level, providing
the enterprise with centralized control over all endpoints, including mobile devices
(smartphones, tablets, laptops) and IoT devices such as wireless MFDs (introduced in
Module 9-1) and wearables.
EXAM TIP UEM products currently seem to be as much about marketing as
about technology, but expect a question about the awesome control offered
by UEM for the enterprise on the CompTIA Security+ exam.
Security Enhanced Linux for Android
Increasingly, Android-based devices rely on a mandatory access control (MAC) mechanism to provide security called Security Enhanced Linux (SELinux). SELinux gives security experts security policies that govern all aspects of deployed Android devices, such as
operations, objects, and processes. This granular security enhances the traditional security in Android devices which was based on discretionary access control (DAC). DAC
worked well enough in the beginning, but malicious or faulty apps could leak data; DAC
permissions lacked subtleties or granularity to work well in some situations; and root or
superuser accounts could run all sorts of setuid programs or system daemons with no
control. SELinux for Android—or SEAndroid, in CompTIA speak—provides a serious
security upgrade over DAC.
Deployment Models
The deployment model with mobile devices specifies how employees get a mobile device
in their hands. The deployment model defines issues such as whether the corporation
provides devices to employees or employees bring their own devices. The deployment
model defines aspects of mobile device management.
09-ch09.indd 459
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
460
Corporate-Owned, Business Only
A corporate-owned, business only (COBO) deployment model means that the organization
issues mobile devices to employees and holds ownership of the devices, the maintenance
of the devices, and the applications and the data on the devices.
Bring Your Own Device
Everyone already has a smartphone, and bring your own device (BYOD) deployment
means to have employees bring their own devices and use them for business purposes.
This brings up a number of security issues, as BYOD compels employees to offer some
amount of control of their personal systems to the organization.
Choose Your Own Device
With the choose your own device (CYOD) deployment model the organization offers a
selection of mobile devices from which employees can choose. Either employees buy the
devices outright or the organization owns the device and offers employees an attractive
rental for the duration of their employment. In either case, the organization has complete
control over the mobile device (although employees may install personal apps).
Corporate-Owned, Personally Enabled
Similar to COBO, with the corporate-owned, personally enabled (COPE) deployment
model the organization issues a mobile device, but unlike COBO, employees are allowed
to install a specific number of preapproved (white-listed) apps for their personal use.
Containerization
BYOD, CYOD, and COPE all share a common problem: how can we separate the organization’s applications and data from the employee’s applications and data on the same
device? Every mobile operating system supports containers to address this issue. A container is nothing more than a virtual operating system just as a virtual machine is virtual
hardware. Using containerization enables the organization to create a separate operating
system on the mobile device, completely separating the employee’s applications and data
from the organization’s.
Figure 9-18 shows one example of containerization offered on an Android system.
Note that there are two Contacts, two Calendars, and two Play Store apps. Using containerization enables this feature.
Containerization normally relies on storage segmentation, the practice of partitioning
off storage areas in the device, usually to provide separate areas for company or sensitive
data and personal data. Through storage segmentation, it’s possible to impose different
access controls on specific types of data. Figure 9-19 describes the concepts of sandboxing (which you read about in Module 8-2) and containerization. Storage segmentation
can be imposed on the device’s built-in storage area or on removable media as well.
Virtual Desktop Infrastructure
If an organization wants to avoid the issue of device ownership altogether, it can get
around the problem completely by offering a virtual desktop infrastructure (VDI), which
09-ch09.indd 460
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-4: Implementing Secure Mobile Solutions
461
Figure 9-18
Containerization
on an Androidbased mobile
device
you also read about in Module 8-3. With a VDI, every employee has a virtual machine
running on a server owned by the organization. The employee may access this machine
via any device running any operating system and is presented a virtual desktop with the
applications the employee needs.
Figure 9-19
Containerization
used to separate
apps and data
from each other
Sandboxing
Containerization
App
Personal Data
App
Corporate Data
Hardware Interface
Mobile Device
09-ch09.indd 461
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
462
Inventory Control and Asset Tracking
One of the great things about using mobile devices in the enterprise is that employees
can use them anywhere. Unfortunately, however, that means that the devices don’t always
reside on the company property. They walk off with the user, so the company often
doesn’t know exactly where they are and what they’re being used for, or even who’s using
them. As with traditional desktops, inventory control is important with mobile devices,
perhaps more important, since they are portable. Several technologies make it easier to
manage mobile devices, even when they are off the company campus.
We will discuss many of these technologies later when we get into device-specific security methods, but for now understand that companies can’t implement any of them well
unless they are part of an overall MDM infrastructure. MDM enables centralized control
of devices, including inventory control, so IT management always knows the location of
devices and, in many cases, knows which authorized users have control over them. Since
mobile devices tend to talk to the MDM infrastructure often, IT management can have
an almost 100 percent real-time inventory of mobile devices via the MDM software. Of
course, the traditional method of having a user bring the device to the office to scan it
with a barcode reader can also make sure that IT management knows the device is safely
checked in or out.
Along with inventory control, asset tracking is important. Asset tracking means knowing the location of devices at all times, who has them, and how they are being used. Asset
tracking can be provided through the MDM infrastructure as well as via the device—
through features such as GPS and other location-based services, as well as software agents
that can be placed on the devices when they come under management control. Combined
with strong security policies applied to mobile devices through MDM, asset tracking can
provide visibility into what’s happening with these devices at all times. Figure 9-20 illustrates how location services can show the exact location of a device.
Figure 9-20 Location services make it easier to track mobile device assets.
09-ch09.indd 462
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-4: Implementing Secure Mobile Solutions
463
Device Access Control
Yet another management goal of business when integrating mobile devices into its networks
is to control what data, systems, and resources the mobile devices connect to and access—
device access control. As with any other device or user, the goal is to make sure that people
using mobile devices can access only the data and systems they need to do their job and no
more. Your organization can and should definitely use traditional access controls, which
include restrictive rights, permissions, and privileges. You can implement these controls at
the resource level, such as assigning permissions to a folder or file, but you can also implement them at the network level. For example, modern mobile devices can use strong authentication mechanisms, such as certificate-based authentication, which you can integrate with
your network’s directory services, such as Active Directory. This can prevent an unauthorized
user from stealing a mobile device and attempting to connect to your network and access
your resources. Other traditional methods of access control that you can use in conjunction
with mobile devices include firewalls, network access control devices, and so on.
On the flip side of device access control, in addition to the desire to control access
to network resources within the business perimeter, most administrators also want to
control what a device can access and do when it leaves the company network. This can
be harder to control since the device is no longer under the physical or logical control
of the company. It may connect to unsecure home or hotel networks, for example, or
to unsecure free Wi-Fi networks that have no required authentication or encryption.
These are challenges when trying to control devices remotely and control what they can
access offsite. Fortunately, administrators can apply MDM security policies to devices to
control access to certain content (content management), applications, and Internet sites.
These policies prevent users from doing things or accessing content that’s prohibited by
the company. Figure 9-21 illustrates how this works.
Geotagging
Geotagging is the process of including in a file, such as a picture or video file, metadata
that contains the location information of the device when the file was created or processed. For example, people often take pictures and geotag them with location information, which might include the GPS coordinates, time and date stamps, and other types
of information, to include a description of an event. Geotagging is useful from several
perspectives in the corporate environment. An investigator conducting a forensic analysis
of a device, for example, could look at geotag information in the file metadata to try to
determine patterns of where the device has been and how it has been used. Geotagging
also may serve a purpose in verifying the time, date, and location of an employee who
performs a certain action, which may be required for compliance or policy reasons.
NOTE The CompTIA Security+ exam objectives use the term GPS tagging for
geotagging. These terms are synonymous.
The use of geotagging in tracking employees and their activities must be carefully considered, however, in environments where users are allowed to process corporate data on
their own personal devices. As with all personal data, geotagging can give away information
09-ch09.indd 463
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
464
Figure 9-21
MDM can
push security
configuration
and policies to all
mobile devices in
the enterprise.
MDM Server
Different Security Policies
1
2
3
Device Group 2
Device Group 1
Device Group 3
that an employee might not want the company to have, especially if it involves information of a personal nature. We’ll discuss that scenario later in the module. As with all the
other issues discussed here, geotagging should be addressed in policy documents.
Remote Management
Remote management is the key to protecting data in the corporate infrastructure. As
mentioned, once the device leaves company property, it’s difficult to control—that is,
unless the company has installed and configured remote management capabilities. This
requires admins to configure the MDM software properly, as well as the settings on the
device itself. Remote management enables a business to reach out and touch the device
virtually to monitor its location and use, as well as to protect data in the event the device
is lost or stolen. You need to be aware of a few different remote management functions
for the Security+ exam, as well as for use on the job.
Geolocation uses the GPS feature of the mobile device to locate it. Figure 9-22 shows
the Google device manager (called Find My Device) locating the author’s phone as he
watches the Houston Astros instead of working on this book.
Remote wiping (or remote wipe) is a capability you should use in the event a device is
lost or stolen and is not likely to be recovered. In this scenario, the MDM software would
enable you to send commands to the device that will completely wipe its storage areas,
erasing sensitive data, configuration, and so on. Wiping the device could effectively render it useless, or at least reset it back to factory conditions.
09-ch09.indd 464
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-4: Implementing Secure Mobile Solutions
465
Figure 9-22 Google device manager
Remote control is another security feature that you can enable on the device through
MDM software. You can use this feature to take over the device if a user can’t figure out
how to do something, of course, but a more useful security feature might be to take control of the device to prevent its misuse or to extract data from it before it’s wiped. You can
also remotely unlock a device using this feature if the user has forgotten a passcode and
doesn’t want to keep typing it in and risk wiping the device after several incorrect entries.
Onboarding/Offboarding
Managing mobile devices starts with the processes the organization uses in onboarding
and offboarding mobile devices. Onboarding encompasses all of the processes used to
introduce a new mobile device into the network and assign it to the user. This includes
provisioning the device to ensure that the device has the right settings to access the
mobile service provider or telecom provider, as well as installing all of the companyapproved applications on the device. Provisioning also entails making sure the right
user permissions and accesses are installed on the device, such as user names and passwords, digital certificates, and so on. The point of onboarding and provisioning a
device is to make sure that the device is fully functional so that a user can use it to
process company data.
Offboarding, as you might guess, is almost the exact opposite of onboarding and
provisioning. During offboarding, IT management collects the device from the user and
takes away access to the network with this device. In an orderly offboarding process, user
data is removed from the device and, if applicable, returned to the user. Corporate data
is also removed from the device and stored or disposed of as appropriate.
09-ch09.indd 465
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Chapter 9: Securing Dedicated Systems
466
The device might be decommissioned completely, removing it from inventory and
disposing of it, in the case of legacy devices or devices that no longer function properly.
If the device is not disposed of, it might be reused within the enterprise and issued to
another user; in that event it would go through the onboarding and provisioning process
again (although it may not require as much in terms of device activation and so on).
If the device has been collected from the user based upon a violation of policy or
the law, the device might also be subject to forensic analysis and examination, as well
as retention of any personal and corporate data on the device. In any event, a process
should be established within the organization for both onboarding and offboarding
mobile devices securely.
Application Management and Security
Application management means that the organization determines what applications can
be installed and used on the mobile device, as well as where it gets those applications
from. The organization can impose technical policies on devices that prohibit them from
downloading applications from certain app stores, for example, and restrict them to
downloading applications only from the internal company app repository or a specific
vendor or platform app store.
Application management also means exercising control over what apps can do on the
device, as well as what data they can access. For example, an organization can use certain methods to prevent a user’s personal app from accessing any corporate data stored on
the device. These methods may include restricting copy and paste operations, restricting a
user’s personal e-mail app from accessing the corporate e-mail’s contacts list, and other controls. Application control can be imposed on the device using different technical policies,
as well as tight control over user rights and privileges on the device. Other methods, such as
sandboxing and containerization (discussed earlier in this module), can be used to separate
applications and data from each other so that no interaction is possible between them.
Application Security
The organization should exert some sort of control over the security of the applications
themselves, simply because there may be security and interoperability issues with all the
different apps on mobile devices. This is dubbed application management. Some of these
applications may not work well with company-approved enterprise applications, and
some of these apps may not store, process, or transmit sensitive data securely. The organization may want to control which types of apps can be installed and used on mobile
devices, using either MDM or mobile application management (MAM) technologies. The
company may also want to set up its own app store, rather than allowing users to download apps from a vendor’s app store. An admin can use push notifications to get services
to devices, defining what apps are included (rather than relying on users to check for and
download important apps or updates).
Application Whitelisting
In application whitelisting, the organization allows only certain trusted applications to
be installed on mobile devices. The organization may exclude certain applications due
09-ch09.indd 466
25/03/21 2:18 PM
All-In-One / Mike Meyers’ CompTIA Security+™ Certification Guide, 3e / Meyers & Jernigan / 369-4 / Chapter 9
Module 9-4: Implementing Secure Mobile Solutions
467
to security, interoperability, or licensing issues. Applications acceptable in the organization might include secure e-mail applications, file transfer applications, and productivity
applications. Whitelisting enables the organization to include accepted applications in
policy configuration files that are sent to and maintained on the mobile device. These
policies may prevent a user from downloading and using unapproved apps or from
using certain vendor app stores. Often, secure configuration files for these apps are also
included for an app when the device is provisioned.
EXAM TIP The CompTIA Security+ 601 exam objectives replaced the
term whitelisting with allow list in objective 3.2 and application approved
list in objective 4.4. You will most likely see the commonly used term—
whitelisting—on both the exam and certainly in the real world, but be
prepared if CompTIA updates their question pool to see the newer terms.
Encryption and Authentication
Using encryption on mobile devices can protect data while it is stored on the device or
during transmission from the device back to the corporate network through untrusted
networks, such as the Internet. Mobile devices can make use of encryption in various
ways, includ